Analysis Report 1wOdXavtlE.exe

Overview

General Information

Sample Name: 1wOdXavtlE.exe
Analysis ID: 383846
MD5: a7e67e6abd539aeddbb9021d23f6f217
SHA1: cea85a6d9e417f2b8c2b3962a1359defc096e502
SHA256: f1849f447bfa07c3a9a9db11501a026d133541d0264424198f297f5ec70e1ff3
Tags: exe
Infos:

Most interesting Screenshot:

Detection

RMSRemoteAdmin
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Connects to many ports of the same IP (likely port scanning)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses regedit.exe to modify the Windows registry
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected RMS RemoteAdmin tool

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\is-PFD3D.tmp ReversingLabs: Detection: 55%
Source: C:\ProgramData\is-R3F67.tmp ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\servs.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Metadefender: Detection: 18% Perma Link
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe ReversingLabs: Detection: 39%
Multi AV Scanner detection for submitted file
Source: 1wOdXavtlE.exe Metadefender: Detection: 16% Perma Link
Source: 1wOdXavtlE.exe ReversingLabs: Detection: 58%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 1wOdXavtlE.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: 1wOdXavtlE.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: C:\ProgramData\Immunity\rutserv.exe File created: C:\ProgramData\Remote Manipulator System\install.log
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.216.141.204:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.216.179.59:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49733 version: TLS 1.2
Source: 1wOdXavtlE.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: PasswordOnWakeSettingFlyout.pdb source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp
Source: Binary string: PasswordOnWakeSettingFlyout.pdbGCTL source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_0040B268 FindFirstFileW,FindClose, 17_2_0040B268
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_0040AC9C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 17_2_0040AC9C
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: 19_2_005E9B24 FindFirstFileW,GetLastError, 19_2_005E9B24
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: 19_2_0040CBFC FindFirstFileW,FindClose, 19_2_0040CBFC
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: 19_2_0040C630 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 19_2_0040C630
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: 19_2_00641778 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose, 19_2_00641778

Networking:

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 86.107.197.8 ports 1,2,3,4,8,38214
Performs DNS queries to domains with low reputation
Source: C:\Users\user\Desktop\1wOdXavtlE.exe DNS query: pokacienon.xyz
Source: C:\Users\user\Desktop\1wOdXavtlE.exe DNS query: pokacienon.xyz
Source: C:\Users\user\Desktop\1wOdXavtlE.exe DNS query: pokacienon.xyz
Source: C:\Users\user\Desktop\1wOdXavtlE.exe DNS query: pokacienon.xyz
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 38214
Source: unknown Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 38214
Source: unknown Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 38214
Source: unknown Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 32972 -> 49763
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49761 -> 86.107.197.8:38214
Source: global traffic TCP traffic: 192.168.2.6:49763 -> 195.54.160.9:32972
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: pokacienon.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: pokacienon.xyzContent-Length: 1137076Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: pokacienon.xyzContent-Length: 1137062Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 86.107.197.8:38214Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 195.54.160.9:32972Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: 86.107.197.8:38214Content-Length: 856112Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 86.107.197.8:38214Content-Length: 856098Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: 195.54.160.9:32972Content-Length: 23182Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 195.54.160.9:32972Content-Length: 23168Expect: 100-continueAccept-Encoding: gzip, deflate
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.192.141.1 104.192.141.1
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: svchost.exe, 0000000F.00000002.465315065.00000221A3B13000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z||.||646da06c-a69a-4aff-bcc8-3f5a349348ca||1152921505693336001||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000002.465315065.00000221A3B13000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z||.||646da06c-a69a-4aff-bcc8-3f5a349348ca||1152921505693336001||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000003.450300636.00000221A3B74000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JEc equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000003.450300636.00000221A3B74000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JEc equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000F.00000003.442264061.00000221A3B95000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-06T17:58:28.3925008Z||.||9f1af5de-a917-4d59-b623-fd59991517bf||1152921505693355901||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-06T17:57:25.3126054Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.439276219.00000221A4002000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.439276219.00000221A4002000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.439276219.00000221A4002000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000003.442380240.00000221A3B74000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137845484,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt","PackageId":"9f0b5036-3839-33f0-1d64-45190b6cc3d7-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu
Source: unknown DNS traffic detected: queries for: pokacienon.xyz
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: pokacienon.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp String found in binary or memory: http://%s.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp String found in binary or memory: http://bbuseruploads.s3.amazonaws.com
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp String found in binary or memory: http://bitbucket.org
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
Source: svchost.exe, 0000000F.00000002.465244340.00000221A3B00000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
Source: svchost.exe, 0000000F.00000002.465244340.00000221A3B00000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: svchost.exe, 0000000F.00000002.465244340.00000221A3B00000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/Di
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
Source: svchost.exe, 0000000F.00000002.465143551.00000221A38D0000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: http://forms.rea
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: http://go.micros
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: 1wOdXavtlE.exe, 00000002.00000003.475742441.0000000008AA0000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000003.402274130.0000000008A91000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: 1wOdXavtlE.exe, 00000002.00000003.475742441.0000000008AA0000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000003.402274130.0000000008A91000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: 1wOdXavtlE.exe, 00000002.00000003.475742441.0000000008AA0000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000003.402274130.0000000008A91000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.465143551.00000221A38D0000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0R
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp String found in binary or memory: http://pokacienon.xyz
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://pokacienon.xyz/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://pokacienon.xyz:80/
Source: 1wOdXavtlE.exe, 00000002.00000002.486054377.0000000002DFF000.00000004.00000001.sdmp String found in binary or memory: http://pokacienon.xyzdr
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp String found in binary or memory: http://s3-1-w.amazonaws.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp String found in binary or memory: http://schemas.datacontract.org
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/BrowserExtension.Objects.Enums
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: http://service.r
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: http://support.a
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: http://support.apple.com/kb/HT203092
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/0
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetArguments
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.485447672.0000000002CF5000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRe
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequest
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.486054377.0000000002DFF000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.docUrl.com/bar.htm
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.348197996.0000000000E37000.00000004.00000040.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 1wOdXavtlE.exe, 00000000.00000002.348197996.0000000000E37000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.coma9
Source: 1wOdXavtlE.exe, 00000000.00000002.348197996.0000000000E37000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comicta
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: servs.exe, 00000011.00000003.438656448.00000000024A0000.00000004.00000001.sdmp, servs.tmp, servs.tmp, 00000013.00000000.443300076.0000000000401000.00000020.00020000.sdmp, pass.exe, 00000018.00000003.463502157.000000007FC40000.00000004.00000001.sdmp, pass.tmp, 0000001A.00000000.466868990.0000000000401000.00000020.00020000.sdmp String found in binary or memory: http://www.innosetup.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: servs.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: servs.exe, 00000011.00000002.542433050.0000000000401000.00000020.00020000.sdmp, pass.exe, 00000018.00000000.459756419.0000000000401000.00000020.00020000.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: servs.exe, 00000011.00000003.438656448.00000000024A0000.00000004.00000001.sdmp, servs.tmp, pass.exe, 00000018.00000003.463502157.000000007FC40000.00000004.00000001.sdmp, pass.tmp, 0000001A.00000000.466868990.0000000000401000.00000020.00020000.sdmp String found in binary or memory: http://www.remobjects.com/ps
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb/geoipAppData
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb4
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: https://aui-cdn.atlassian.com
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/62ab596d-a885-
Source: 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/9580842f-6891-
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.485408204.0000000002CE9000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/a1867a39-2dbe-
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org
Source: 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/newred.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/serv.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/test.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.orgD8
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: https://get.adob
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: https://helpx.ad
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: https://icanhazip.com
Source: 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1tMzh7
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp String found in binary or memory: https://iplogger.org/1tncg7
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp String found in binary or memory: https://iplogger.org/1tncg72
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp String found in binary or memory: https://iplogger.org/1tncg7:
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp String found in binary or memory: https://iplogger.org/1tncg7r
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp String found in binary or memory: https://iplogger.org/1tsTg7
Source: 1wOdXavtlE.exe, 00000002.00000002.483173141.0000000001111000.00000004.00000020.sdmp String found in binary or memory: https://iplogger.org/1tsTg78
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp String found in binary or memory: https://iplogger.org/1tsTg7Z
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0D
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp String found in binary or memory: https://wtfismyip.com/text
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.216.141.204:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.216.179.59:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49733 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: ssevs.exe, 00000016.00000002.482511545.0000000001458000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp File created: C:\ProgramData\Immunity\CertMgry\is-I14BP.tmp Jump to dropped file

System Summary:

barindex
Uses regedit.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_004A0E24 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 17_2_004A0E24
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: 19_2_005ECBC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 19_2_005ECBC0
Creates files inside the system directory
Source: C:\Windows\System32\cmd.exe File created: C:\Windows
Detected potential crypto function
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_00D4C36C 0_2_00D4C36C
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_00D4ED38 0_2_00D4ED38
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DC0488 0_2_04DC0488
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DC1C8B 0_2_04DC1C8B
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DC0478 0_2_04DC0478
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DC06F8 0_2_04DC06F8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DC06E9 0_2_04DC06E9
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DC5A38 0_2_04DC5A38
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DEF668 0_2_04DEF668
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DE90F8 0_2_04DE90F8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DEA140 0_2_04DEA140
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DECED0 0_2_04DECED0
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DE6F60 0_2_04DE6F60
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DE2A50 0_2_04DE2A50
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DED0B8 0_2_04DED0B8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DED0A8 0_2_04DED0A8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DEE3DF 0_2_04DEE3DF
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DEE3E0 0_2_04DEE3E0
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DEF350 0_2_04DEF350
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 2_2_00FBD7F0 2_2_00FBD7F0
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 2_2_00FBCAB8 2_2_00FBCAB8
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_004254D0 17_2_004254D0
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_0040ECB4 17_2_0040ECB4
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00431F50 17_2_00431F50
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: 19_2_0064022C 19_2_0064022C
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: 19_2_0041073E 19_2_0041073E
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: 19_2_0040AFF4 19_2_0040AFF4
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_0301EA60 22_2_0301EA60
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_0301EA70 22_2_0301EA70
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_0301CA7C 22_2_0301CA7C
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07696FD0 22_2_07696FD0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_0769A618 22_2_0769A618
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07691C78 22_2_07691C78
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07690B60 22_2_07690B60
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07692B90 22_2_07692B90
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_076912B0 22_2_076912B0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_076961D8 22_2_076961D8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07690040 22_2_07690040
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07696FC0 22_2_07696FC0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07697FA9 22_2_07697FA9
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07697FB0 22_2_07697FB0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_0769A609 22_2_0769A609
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07694E00 22_2_07694E00
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07694568 22_2_07694568
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07694578 22_2_07694578
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07694DF0 22_2_07694DF0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07691C6A 22_2_07691C6A
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07697498 22_2_07697498
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_0769A368 22_2_0769A368
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07692B7A 22_2_07692B7A
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_0769AB42 22_2_0769AB42
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_0769A359 22_2_0769A359
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07694BE0 22_2_07694BE0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07694BD0 22_2_07694BD0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07695278 22_2_07695278
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07699249 22_2_07699249
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07693A40 22_2_07693A40
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07699258 22_2_07699258
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07693A30 22_2_07693A30
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07690AD1 22_2_07690AD1
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_076912A1 22_2_076912A1
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07695288 22_2_07695288
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07697978 22_2_07697978
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_0769A920 22_2_0769A920
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_0769A930 22_2_0769A930
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_076961C8 22_2_076961C8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07697988 22_2_07697988
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_0769506A 22_2_0769506A
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07695078 22_2_07695078
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Code function: 22_2_07690006 22_2_07690006
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe Code function: 23_2_00007FF7D9F53D48 23_2_00007FF7D9F53D48
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: String function: 005EA59C appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: String function: 005BC3D8 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: String function: 005D3750 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: String function: 005F3814 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: String function: 005D3A34 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: String function: 005F3590 appears 39 times
PE file contains executable resources (Code or Archives)
Source: servs.tmp.17.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: servs.tmp.17.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
PE file contains more sections than normal
Source: is-PFD3D.tmp.19.dr Static PE information: Number of sections : 17 > 10
PE file contains strange resources
Source: 1wOdXavtlE.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: servs.tmp.17.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 1wOdXavtlE.exe, 00000000.00000002.348986565.00000000028F2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMetroFramework.dll> vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000000.00000002.348986565.00000000028F2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSynchronal.exe4 vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000000.00000000.322469152.000000000036B000.00000002.00020000.sdmp Binary or memory string: OriginalFilename~ vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameIEFRAME.DLL.MUID vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.482401861.0000000001030000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp Binary or memory string: OriginalFilename6Qgb9 vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532430822.00000000087F0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.530971740.00000000080C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.477691078.000000000080B000.00000002.00020000.sdmp Binary or memory string: OriginalFilename~ vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.492060863.0000000003C24000.00000004.00000001.sdmp Binary or memory string: OriginalFilename9 vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.530783769.0000000007F50000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.530783769.0000000007F50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.476252478.0000000000418000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameSynchronal.exe4 vs 1wOdXavtlE.exe
Uses 32bit PE files
Source: 1wOdXavtlE.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: 1wOdXavtlE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.1wOdXavtlE.exe.400000.0.unpack, BrowserExtension/Data/Crypto/CryptoHelper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@50/66@28/9
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_004A0E24 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 17_2_004A0E24
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: 19_2_005ECBC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 19_2_005ECBC0
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_0041A5FC GetDiskFreeSpaceW, 17_2_0041A5FC
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Code function: 19_2_00601290 GetVersion,CoCreateInstance, 19_2_00601290
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_004A16FC FindResourceW,SizeofResource,LoadResource,LockResource, 17_2_004A16FC
Source: C:\Users\user\Desktop\1wOdXavtlE.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1wOdXavtlE.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_01
Source: C:\ProgramData\Immunity\rutserv.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$694
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4980:120:WilError_01
Source: C:\Users\user\Desktop\1wOdXavtlE.exe File created: C:\Users\user\AppData\Local\Temp\tmp379E.tmp Jump to behavior
Source: Yara match File source: 00000025.00000002.549143519.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.508478042.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\Immunity\is-2SOD7.tmp, type: DROPPED
Source: Yara match File source: C:\ProgramData\Immunity\is-4BBH3.tmp, type: DROPPED
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat''
Source: 1wOdXavtlE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\servs.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\servs.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\pass.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\pass.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Immunity\rutserv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Immunity\rutserv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\1wOdXavtlE.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\1wOdXavtlE.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\Desktop\1wOdXavtlE.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: C:\Users\user\Desktop\1wOdXavtlE.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: 1wOdXavtlE.exe Metadefender: Detection: 16%
Source: 1wOdXavtlE.exe ReversingLabs: Detection: 58%
Source: servs.exe String found in binary or memory: rting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked the co
Source: unknown Process created: C:\Users\user\Desktop\1wOdXavtlE.exe 'C:\Users\user\Desktop\1wOdXavtlE.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Process created: C:\Users\user\Desktop\1wOdXavtlE.exe {path}
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tncg7
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tsTg7
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Process created: C:\Users\user\AppData\Local\Temp\servs.exe 'C:\Users\user\AppData\Local\Temp\servs.exe'
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:82946 /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\servs.exe Process created: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp 'C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp' /SL5='$104D8,10541093,724480,C:\Users\user\AppData\Local\Temp\servs.exe'
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat''
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe 'C:\Users\user\AppData\Local\Temp\ssevs.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe Process created: C:\ProgramData\pass.exe C:\ProgramData\pass.exe
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe 'C:\Users\user\AppData\Local\Temp\sssevs.exe'
Source: C:\ProgramData\pass.exe Process created: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp 'C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp' /SL5='$10584,9506241,724480,C:\ProgramData\pass.exe'
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe {path}
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 8
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'regedit /s C:\ProgramData\Immunity\ses.reg'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe {path}
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\Immunity\install.cmd''
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe certmgr.exe -add -c Sert.cer -s -r localMachine Root
Source: C:\Windows\System32\cmd.exe Process created: C:\ProgramData\Immunity\rutserv.exe 'rutserv.exe' /silentinstall
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Process created: C:\Users\user\Desktop\1wOdXavtlE.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tncg7 Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tsTg7 Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Process created: C:\Users\user\AppData\Local\Temp\servs.exe 'C:\Users\user\AppData\Local\Temp\servs.exe' Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe 'C:\Users\user\AppData\Local\Temp\ssevs.exe' Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe 'C:\Users\user\AppData\Local\Temp\sssevs.exe' Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:82946 /prefetch:2 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\servs.exe Process created: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp 'C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp' /SL5='$104D8,10541093,724480,C:\Users\user\AppData\Local\Temp\servs.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat''
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe {path}
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe Process created: C:\ProgramData\pass.exe C:\ProgramData\pass.exe
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe {path}
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg
Source: C:\Windows\System32\cmd.exe Process created: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe certmgr.exe -add -c Sert.cer -s -r localMachine Root
Source: C:\Windows\System32\cmd.exe Process created: C:\ProgramData\Immunity\rutserv.exe 'rutserv.exe' /silentinstall
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp Window found: window name: TMainForm
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\1wOdXavtlE.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 1wOdXavtlE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 1wOdXavtlE.exe Static file information: File size 1285632 > 1048576
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 1wOdXavtlE.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: PasswordOnWakeSettingFlyout.pdb source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp
Source: Binary string: PasswordOnWakeSettingFlyout.pdbGCTL source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs .Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs .Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs .Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs .Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs .Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
.NET source code contains potential unpacker
Source: 1wOdXavtlE.exe, OnScreenKeyboard/FrmMain.cs .Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs .Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs .Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/FrmMain.cs .Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/FrmMain.cs .Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
PE file contains an invalid checksum
Source: is-PFD3D.tmp.19.dr Static PE information: real checksum: 0xc2cd should be: 0x193fb
Source: 1wOdXavtlE.exe Static PE information: real checksum: 0x0 should be: 0x13dc3c
Source: servs.tmp.17.dr Static PE information: real checksum: 0x0 should be: 0x271505
Source: is-R3F67.tmp.19.dr Static PE information: real checksum: 0x0 should be: 0x9c1fa0
PE file contains sections with non-standard names
Source: servs.tmp.17.dr Static PE information: section name: .didata
Source: is-PFD3D.tmp.19.dr Static PE information: section name: .xdata
Source: is-PFD3D.tmp.19.dr Static PE information: section name: /4
Source: is-PFD3D.tmp.19.dr Static PE information: section name: /19
Source: is-PFD3D.tmp.19.dr Static PE information: section name: /31
Source: is-PFD3D.tmp.19.dr Static PE information: section name: /45
Source: is-PFD3D.tmp.19.dr Static PE information: section name: /57
Source: is-PFD3D.tmp.19.dr Static PE information: section name: /70
Source: is-R3F67.tmp.19.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_00D4CA14 push esp; retn 0278h 0_2_00D4CA21
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DC0400 push ecx; ret 0_2_04DC0415
Source: C:\Users\user\Desktop\1wOdXavtlE.exe Code function: 0_2_04DC65A0 pushfd ; retf 0_2_04DC65A1
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_004A7000 push 004A70DEh; ret 17_2_004A70D6
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_004A7980 push 004A7A43h; ret 17_2_004A7A3B
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_0043007C push ecx; mov dword ptr [esp], eax 17_2_0043007D
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_004990DC push ecx; mov dword ptr [esp], edx 17_2_004990DD
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_0045608C push ecx; mov dword ptr [esp], ecx 17_2_00456090
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00430094 push ecx; mov dword ptr [esp], eax 17_2_00430095
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00498140 push ecx; mov dword ptr [esp], edx 17_2_00498141
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_0045A16C push ecx; mov dword ptr [esp], edx 17_2_0045A16D
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_0045410C push 00454162h; ret 17_2_0045415A
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_004251C8 push ecx; mov dword ptr [esp], eax 17_2_004251CD
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_0041A1D4 push ecx; mov dword ptr [esp], ecx 17_2_0041A1D8
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00459260 push ecx; mov dword ptr [esp], edx 17_2_00459261
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00430214 push ecx; mov dword ptr [esp], eax 17_2_00430215
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00494220 push 004942FFh; ret 17_2_004942F7
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_004223E4 push 004224E8h; ret 17_2_004224E0
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00458380 push ecx; mov dword ptr [esp], edx 17_2_00458381
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00458390 push ecx; mov dword ptr [esp], edx 17_2_00458391
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_004953AC push ecx; mov dword ptr [esp], edx 17_2_004953AD
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00493450 push ecx; mov dword ptr [esp], edx 17_2_00493453
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00458464 push ecx; mov dword ptr [esp], ecx 17_2_00458468
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00499470 push ecx; mov dword ptr [esp], edx 17_2_00499471
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00457420 push ecx; mov dword ptr [esp], eax 17_2_00457422
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_004544AC push ecx; mov dword ptr [esp], edx 17_2_004544AD
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_0048D544 push ecx; mov dword ptr [esp], edx 17_2_0048D546
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00429520 push ecx; mov dword ptr [esp], edx 17_2_00429522
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_0045A520 push ecx; mov dword ptr [esp], edx 17_2_0045A521
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_004595B4 push ecx; mov dword ptr [esp], edx 17_2_004595B5
Source: C:\Users\user\AppData\Local\Temp\servs.exe Code function: 17_2_00498604 push ecx; mov dword ptr [esp], edx 17_2_00498605
Source: initial sample Static PE information: section name: .text entropy: 7.52934612956
Source: 1wOdXavtlE.exe, OnScreenKeyboard/MDIParent1.cs High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/Keyboard.cs High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/FrmMain.cs High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/TableLayoutManager.cs High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/KeyboardDialog.cs High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/KeyboardKey.cs High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 1wOdXavtlE.exe, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 1wOdXavtlE.exe, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/MDIParent1.cs High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/Keyboard.cs High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/TableLayoutManager.cs High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardKey.cs High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardDialog.cs High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/MDIParent1.cs High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/Keyboard.cs High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/TableLayoutManager.cs High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardDialog.cs High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardKey.cs High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'