Windows Analysis Report
CsTapHIkAO.exe

AV Detection

Source: CsTapHIkAO.exe	ReversingLabs: Detection: 30%
Source: CsTapHIkAO.exe	Virustotal: Detection: 41%			Perma Link

Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Virustotal: Detection: 41%			Perma Link

Source: CsTapHIkAO.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe

Joe Sandbox ML: detected

Source: 0.2.CsTapHIkAO.exe.3e30db0.7.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.spjsv.ro", "Username": "psihiatrie@spjsv.ro", "Password": "Qpgi1i[5KoaZ"}

Compliance

Source: CsTapHIkAO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49707 version: TLS 1.2

Source: CsTapHIkAO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ltqW.pdb source: CsTapHIkAO.exe, BKEDEaL.exe.1.dr
Source:	Binary string: ltqW.pdbSHA256"<P source: CsTapHIkAO.exe, BKEDEaL.exe.1.dr

Networking

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	DNS query: name: api.ipify.org

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Joe Sandbox View	IP Address: 104.237.62.211 104.237.62.211
Source: Joe Sandbox View	IP Address: 89.43.174.45 89.43.174.45

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.3:49701 -> 89.43.174.45:26

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.374393467.0000000001015000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006B35000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.000000000655F000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.374393467.0000000001015000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateSe
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.350298559.0000000001033000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.382899429.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.374393467.0000000001015000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
Source: CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.spjsv.ro
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006B35000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.000000000655F000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006B35000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.000000000655F000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: CsTapHIkAO.exe, 00000001.00000002.527846084.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: CsTapHIkAO.exe, 00000001.00000002.553832121.0000000007AD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: CsTapHIkAO.exe, 00000001.00000003.311064572.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B9F000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006BC1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010A2000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006BC1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010A2000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: CsTapHIkAO.exe, 00000001.00000002.527846084.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: CsTapHIkAO.exe, 00000001.00000002.527846084.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eca.hinet.net/repository0
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: CsTapHIkAO.exe, 00000001.00000003.311064572.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49707 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\CsTapHIkAO.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Source: CsTapHIkAO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 0_2_010AC844		0_2_010AC844
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 0_2_010AF1E8		0_2_010AF1E8
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 0_2_010AF1F8		0_2_010AF1F8
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_0179C978		1_2_0179C978
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_0179A9B8		1_2_0179A9B8
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_01799DA0		1_2_01799DA0
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_0179A0E8		1_2_0179A0E8
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06D8C6F0		1_2_06D8C6F0
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06D8F218		1_2_06D8F218
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06D87C21		1_2_06D87C21
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06D86840		1_2_06D86840
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06DBE650		1_2_06DBE650
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06DBB570		1_2_06DBB570
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06DB4690		1_2_06DB4690
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06DB8F98		1_2_06DB8F98
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06DB7FB8		1_2_06DB7FB8
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06DB1D48		1_2_06DB1D48
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06F421CC		1_2_06F421CC
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06F42F48		1_2_06F42F48
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06F4ADE0		1_2_06F4ADE0
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06F42F38		1_2_06F42F38
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Code function: 11_2_00B2C844		11_2_00B2C844
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Code function: 11_2_00B2F1F8		11_2_00B2F1F8
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Code function: 11_2_00B2F1E8		11_2_00B2F1E8
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Code function: 11_2_066A00B0		11_2_066A00B0
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Code function: 11_2_066A44C2		11_2_066A44C2
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Code function: 11_2_066A00C6		11_2_066A00C6

Source: CsTapHIkAO.exe, 00000000.00000002.299330117.0000000007210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOutimurs.dll2 vs CsTapHIkAO.exe
Source: CsTapHIkAO.exe, 00000000.00000002.274302324.0000000002B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCruiser.dll, vs CsTapHIkAO.exe
Source: CsTapHIkAO.exe, 00000000.00000002.274302324.0000000002B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename72bf0450-d492-48ae-a6de-5246371049be.exe4 vs CsTapHIkAO.exe
Source: CsTapHIkAO.exe, 00000000.00000002.274302324.0000000002B97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCruiser.dll, vs CsTapHIkAO.exe
Source: CsTapHIkAO.exe, 00000000.00000002.278694317.0000000003E30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename72bf0450-d492-48ae-a6de-5246371049be.exe4 vs CsTapHIkAO.exe
Source: CsTapHIkAO.exe, 00000000.00000002.278694317.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOutimurs.dll2 vs CsTapHIkAO.exe
Source: CsTapHIkAO.exe, 00000000.00000000.251613107.000000000070A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameltqW.exe> vs CsTapHIkAO.exe
Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs CsTapHIkAO.exe
Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs CsTapHIkAO.exe
Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs CsTapHIkAO.exe
Source: CsTapHIkAO.exe, 00000001.00000002.522177243.0000000000FA9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs CsTapHIkAO.exe
Source: CsTapHIkAO.exe	Binary or memory string: OriginalFilenameltqW.exe> vs CsTapHIkAO.exe

Source: CsTapHIkAO.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BKEDEaL.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CsTapHIkAO.exe	ReversingLabs: Detection: 30%
Source: CsTapHIkAO.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

File read: C:\Users\user\Desktop\CsTapHIkAO.exe

Jump to behavior

Source: CsTapHIkAO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CsTapHIkAO.exe C:\Users\user\Desktop\CsTapHIkAO.exe
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process created: C:\Users\user\Desktop\CsTapHIkAO.exe C:\Users\user\Desktop\CsTapHIkAO.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe "C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe"
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe "C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe"
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process created: C:\Users\user\Desktop\CsTapHIkAO.exe C:\Users\user\Desktop\CsTapHIkAO.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe			Jump to behavior

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CsTapHIkAO.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/9@12/3

Source: CsTapHIkAO.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: CsTapHIkAO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CsTapHIkAO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: CsTapHIkAO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ltqW.pdb source: CsTapHIkAO.exe, BKEDEaL.exe.1.dr
Source:	Binary string: ltqW.pdbSHA256"<P source: CsTapHIkAO.exe, BKEDEaL.exe.1.dr

Data Obfuscation

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 0_2_010ACB38 pushfd ; ret		0_2_010ACB39
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_0179B9C0 push es; ret		1_2_0179B9D0
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06DB26E0 push FFFFFF8Bh; iretd		1_2_06DB26E8
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06DBD210 push es; ret		1_2_06DBD220
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Code function: 1_2_06F4760A push es; ret		1_2_06F47610
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Code function: 11_2_066A247D push es; retf		11_2_066A24F8
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Code function: 11_2_066A240F push es; retf		11_2_066A24F8
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Code function: 11_2_066A24F9 push 00000006h; retf		11_2_066A2550

Source: initial sample	Static PE information: section name: .text entropy: 7.86900119148787
Source: initial sample	Static PE information: section name: .text entropy: 7.86900119148787

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

File created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe

Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BKEDEaL			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BKEDEaL			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

File opened: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 3924	Thread sleep time: -40023s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 2816	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5208	Thread sleep count: 9330 > 30			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -10145709240540247s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1200000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1198454s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1195797s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1195640s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1195499s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1195373s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1195094s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1194954s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1194797s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1194651s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1194531s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1194389s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1194179s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1193949s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1193794s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1193641s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1193511s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1193363s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1193250s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1193140s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1192992s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1192824s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1192713s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1192589s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1192485s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1192356s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1192249s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1192047s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1191934s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1191811s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1191641s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1191501s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1191375s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1191262s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1191156s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1191030s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1190887s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1190751s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1190594s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1190468s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -1190342s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -100000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -99844s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -99733s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -99605s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -99483s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -99341s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -99217s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -99107s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -98998s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -98868s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -98763s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -98652s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -98542s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -98204s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196	Thread sleep time: -97954s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 1708	Thread sleep time: -40023s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 5444	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 5152	Thread sleep count: 9101 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -9223372036854770s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1200000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1199704s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1199500s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1199286s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1199172s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1199000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1198875s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1198703s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1198593s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1198469s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1198358s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1198156s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1197907s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1197750s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1197601s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1197407s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1197117s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1196994s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1196844s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1196700s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1196547s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1196406s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1196297s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1196168s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1196047s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1195859s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1195704s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1195547s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1195401s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1195250s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1195047s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1194907s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1194703s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1194578s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1194454s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1194250s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1194108s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1193954s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1193797s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1193657s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1193500s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1193387s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -1193157s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -100000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -99802s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -99687s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -99564s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -99437s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -99327s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -99215s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -99104s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -98993s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -98874s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -98764s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300	Thread sleep time: -98656s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4768	Thread sleep time: -40023s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 3044	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 3332	Thread sleep count: 9068 > 30
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1199594s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1199335s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1199203s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1199000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1198782s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1198641s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1198391s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1198203s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1198047s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1197797s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1197671s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1197547s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1197406s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1197273s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1197126s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1196983s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1196797s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1196688s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1196547s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1196432s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1196264s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1196094s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1195852s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1195724s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1195594s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1195484s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1195326s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1195196s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1195047s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1194919s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1194797s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1194641s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1194500s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1194370s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1194203s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1194088s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1193953s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1193843s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1193700s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1193541s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1193391s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1193250s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1193101s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1192984s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1192837s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1192719s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1192610s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -1192453s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -99844s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -99688s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -99578s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -99469s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -99359s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -99250s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -99140s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -99031s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -98921s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -98812s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -98703s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -98360s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -98188s >= -30000s
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860	Thread sleep time: -98047s >= -30000s

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1200000			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1198454			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1195797			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1195640			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1195499			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1195373			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1195094			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1194954			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1194797			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1194651			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1194531			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1194389			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1194179			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193949			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193794			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193641			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193511			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193363			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193250			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193140			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192992			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192824			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192713			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192589			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192485			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192356			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192249			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192047			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191934			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191811			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191641			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191501			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191375			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191262			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191156			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191030			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1190887			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1190751			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1190594			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1190468			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1190342			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1200000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199704			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199500			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199286			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199172			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198875			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198703			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198593			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198469			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198358			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198156			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197907			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197750			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197601			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197407			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197117			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196994			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196844			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196700			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196547			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196406			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196297			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196168			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196047			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195859			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195704			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195547			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195401			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195250			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195047			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194907			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194703			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194578			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194454			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194250			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194108			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193954			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193797			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193657			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193500			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193387			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193157			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199594
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199335
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199203
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199000
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198782
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198641
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198391
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198203
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198047
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197797
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197671
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197547
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197406
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197273
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197126
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196983
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196797
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196688
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196547
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196432
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196264
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196094
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195852
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195724
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195594
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195484
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195326
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195196
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195047
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194919
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194797
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194641
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194500
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194370
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194203
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194088
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193953
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193843
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193700
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193541
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193391
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193250
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193101
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1192984
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1192837
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1192719
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1192610
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1192453

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Window / User API: threadDelayed 9330			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Window / User API: threadDelayed 9101			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Window / User API: threadDelayed 9068

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 40023			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1200000			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1198454			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1195797			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1195640			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1195499			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1195373			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1195094			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1194954			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1194797			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1194651			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1194531			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1194389			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1194179			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193949			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193794			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193641			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193511			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193363			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193250			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1193140			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192992			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192824			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192713			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192589			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192485			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192356			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192249			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1192047			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191934			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191811			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191641			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191501			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191375			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191262			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191156			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1191030			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1190887			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1190751			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1190594			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1190468			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 1190342			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 100000			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 99844			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 99733			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 99605			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 99483			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 99341			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 99217			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 99107			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 98998			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 98868			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 98763			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 98652			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 98542			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 98204			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Thread delayed: delay time: 97954			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 40023			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1200000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199704			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199500			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199286			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199172			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198875			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198703			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198593			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198469			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198358			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198156			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197907			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197750			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197601			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197407			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197117			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196994			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196844			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196700			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196547			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196406			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196297			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196168			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196047			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195859			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195704			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195547			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195401			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195250			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195047			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194907			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194703			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194578			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194454			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194250			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194108			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193954			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193797			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193657			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193500			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193387			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193157			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 100000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99802			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99687			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99564			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99437			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99327			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99215			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99104			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 98993			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 98874			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 98764			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 98656			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 40023			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199594
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199335
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199203
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1199000
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198782
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198641
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198391
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198203
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1198047
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197797
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197671
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197547
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197406
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197273
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1197126
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196983
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196797
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196688
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196547
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196432
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196264
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1196094
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195852
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195724
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195594
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195484
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195326
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195196
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1195047
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194919
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194797
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194641
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194500
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194370
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194203
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1194088
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193953
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193843
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193700
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193541
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193391
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193250
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1193101
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1192984
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1192837
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1192719
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1192610
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 1192453
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99844
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99688
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99578
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99469
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99359
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99250
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99140
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 99031
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 98921
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 98812
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 98703
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 98360
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 98188
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Thread delayed: delay time: 98047

Source: BKEDEaL.exe, 0000000C.00000003.350298559.0000000001018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: CsTapHIkAO.exe, 00000001.00000003.308498234.0000000006BB8000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311226037.0000000006BBA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BB8000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006BB8000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320215817.0000000006BBA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.307858436.0000000006BB3000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.317796217.0000000006BB8000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312368092.0000000006BBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BKEDEaL.exe, 0000000F.00000003.382899429.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe

Memory written: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Process created: C:\Users\user\Desktop\CsTapHIkAO.exe C:\Users\user\Desktop\CsTapHIkAO.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Process created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Users\user\Desktop\CsTapHIkAO.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Users\user\Desktop\CsTapHIkAO.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

Code function: 1_2_0179F6D0 GetUserNameW,

1_2_0179F6D0

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Users\user\Desktop\CsTapHIkAO.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.529011306.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.527812814.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CsTapHIkAO.exe PID: 4496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BKEDEaL.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BKEDEaL.exe PID: 5576, type: MEMORYSTR

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: C:\Users\user\Desktop\CsTapHIkAO.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Source: Yara match	File source: 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CsTapHIkAO.exe PID: 4496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BKEDEaL.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BKEDEaL.exe PID: 5576, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.529011306.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.527812814.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CsTapHIkAO.exe PID: 4496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BKEDEaL.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BKEDEaL.exe PID: 5576, type: MEMORYSTR