Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CsTapHIkAO.exe

Overview

General Information

Sample Name:CsTapHIkAO.exe
Original Sample Name:fc7ad54f4f2e785ad748d952945cc888.exe
Analysis ID:830842
MD5:fc7ad54f4f2e785ad748d952945cc888
SHA1:890ab6267da79e151b8c42e9f7f6a19d59a0eb4a
SHA256:745334ebcf459ec748d00eaf3bcb94045cebdd6275aca548255c1c922f0f9d9d
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Stores large binary data to the registry
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Adds / modifies Windows certificates
Drops PE files
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • CsTapHIkAO.exe (PID: 2416 cmdline: C:\Users\user\Desktop\CsTapHIkAO.exe MD5: FC7AD54F4F2E785AD748D952945CC888)
    • CsTapHIkAO.exe (PID: 4496 cmdline: C:\Users\user\Desktop\CsTapHIkAO.exe MD5: FC7AD54F4F2E785AD748D952945CC888)
  • BKEDEaL.exe (PID: 1244 cmdline: "C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe" MD5: FC7AD54F4F2E785AD748D952945CC888)
    • BKEDEaL.exe (PID: 5316 cmdline: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe MD5: FC7AD54F4F2E785AD748D952945CC888)
  • BKEDEaL.exe (PID: 3408 cmdline: "C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe" MD5: FC7AD54F4F2E785AD748D952945CC888)
    • BKEDEaL.exe (PID: 5116 cmdline: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe MD5: FC7AD54F4F2E785AD748D952945CC888)
    • BKEDEaL.exe (PID: 5576 cmdline: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe MD5: FC7AD54F4F2E785AD748D952945CC888)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.spjsv.ro", "Username": "psihiatrie@spjsv.ro", "Password": "Qpgi1i[5KoaZ"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000C.00000002.529011306.0000000002DCC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000002.527812814.0000000002D1C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: CsTapHIkAO.exe PID: 4496JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: CsTapHIkAO.exeReversingLabs: Detection: 30%
            Source: CsTapHIkAO.exeVirustotal: Detection: 41%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeReversingLabs: Detection: 30%
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeVirustotal: Detection: 41%Perma Link
            Machine Learning detection for sample
            Source: CsTapHIkAO.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeJoe Sandbox ML: detected
            Source: 0.2.CsTapHIkAO.exe.3e30db0.7.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.spjsv.ro", "Username": "psihiatrie@spjsv.ro", "Password": "Qpgi1i[5KoaZ"}
            Source: CsTapHIkAO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49707 version: TLS 1.2
            Source: CsTapHIkAO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: ltqW.pdb source: CsTapHIkAO.exe, BKEDEaL.exe.1.dr
            Source: Binary string: ltqW.pdbSHA256"<P source: CsTapHIkAO.exe, BKEDEaL.exe.1.dr

            Networking

            barindex
            May check the online IP address of the machine
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewIP Address: 104.237.62.211 104.237.62.211
            Source: Joe Sandbox ViewIP Address: 89.43.174.45 89.43.174.45
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.2.3:49701 -> 89.43.174.45:26
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.374393467.0000000001015000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006B35000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.000000000655F000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.374393467.0000000001015000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateSe
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
            Source: CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.350298559.0000000001033000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.382899429.00000000010B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.374393467.0000000001015000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
            Source: CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
            Source: CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.spjsv.ro
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
            Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006B35000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.000000000655F000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006B35000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.000000000655F000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
            Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
            Source: CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
            Source: CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
            Source: CsTapHIkAO.exe, 00000001.00000002.553832121.0000000007AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
            Source: CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
            Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
            Source: CsTapHIkAO.exe, 00000001.00000003.311064572.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B9F000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
            Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
            Source: CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006BC1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010A2000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006BC1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010A2000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eca.hinet.net/repository0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
            Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
            Source: CsTapHIkAO.exe, 00000001.00000003.311064572.0000000006B42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
            Source: unknownDNS traffic detected: queries for: api.ipify.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49707 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\CsTapHIkAO.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWindow created: window name: CLIPBRDWNDCLASS
            Source: CsTapHIkAO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 0_2_010AC8440_2_010AC844
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 0_2_010AF1E80_2_010AF1E8
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 0_2_010AF1F80_2_010AF1F8
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_0179C9781_2_0179C978
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_0179A9B81_2_0179A9B8
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_01799DA01_2_01799DA0
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_0179A0E81_2_0179A0E8
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06D8C6F01_2_06D8C6F0
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06D8F2181_2_06D8F218
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06D87C211_2_06D87C21
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06D868401_2_06D86840
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DBE6501_2_06DBE650
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DBB5701_2_06DBB570
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DB46901_2_06DB4690
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DB8F981_2_06DB8F98
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DB7FB81_2_06DB7FB8
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DB1D481_2_06DB1D48
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06F421CC1_2_06F421CC
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06F42F481_2_06F42F48
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06F4ADE01_2_06F4ADE0
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06F42F381_2_06F42F38
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_00B2C84411_2_00B2C844
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_00B2F1F811_2_00B2F1F8
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_00B2F1E811_2_00B2F1E8
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_066A00B011_2_066A00B0
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_066A44C211_2_066A44C2
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_066A00C611_2_066A00C6
            Source: CsTapHIkAO.exe, 00000000.00000002.299330117.0000000007210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000000.00000002.274302324.0000000002B07000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000000.00000002.274302324.0000000002B07000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename72bf0450-d492-48ae-a6de-5246371049be.exe4 vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000000.00000002.274302324.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000000.00000002.278694317.0000000003E30000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename72bf0450-d492-48ae-a6de-5246371049be.exe4 vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000000.00000002.278694317.0000000003AC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000000.00000000.251613107.000000000070A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameltqW.exe> vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000001.00000002.522177243.0000000000FA9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exeBinary or memory string: OriginalFilenameltqW.exe> vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: BKEDEaL.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: CsTapHIkAO.exeReversingLabs: Detection: 30%
            Source: CsTapHIkAO.exeVirustotal: Detection: 41%
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Users\user\Desktop\CsTapHIkAO.exeJump to behavior
            Source: CsTapHIkAO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\CsTapHIkAO.exe C:\Users\user\Desktop\CsTapHIkAO.exe
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess created: C:\Users\user\Desktop\CsTapHIkAO.exe C:\Users\user\Desktop\CsTapHIkAO.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe "C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe"
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe "C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe"
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess created: C:\Users\user\Desktop\CsTapHIkAO.exe C:\Users\user\Desktop\CsTapHIkAO.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CsTapHIkAO.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/9@12/3
            Source: CsTapHIkAO.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: CsTapHIkAO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: CsTapHIkAO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: CsTapHIkAO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: ltqW.pdb source: CsTapHIkAO.exe, BKEDEaL.exe.1.dr
            Source: Binary string: ltqW.pdbSHA256"<P source: CsTapHIkAO.exe, BKEDEaL.exe.1.dr
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 0_2_010ACB38 pushfd ; ret 0_2_010ACB39
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_0179B9C0 push es; ret 1_2_0179B9D0
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DB26E0 push FFFFFF8Bh; iretd 1_2_06DB26E8
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DBD210 push es; ret 1_2_06DBD220
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06F4760A push es; ret 1_2_06F47610
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_066A247D push es; retf 11_2_066A24F8
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_066A240F push es; retf 11_2_066A24F8
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_066A24F9 push 00000006h; retf 11_2_066A2550
            Source: initial sampleStatic PE information: section name: .text entropy: 7.86900119148787
            Source: initial sampleStatic PE information: section name: .text entropy: 7.86900119148787
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeJump to dropped file
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BKEDEaLJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BKEDEaLJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile opened: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 3924Thread sleep time: -40023s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 2816Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5208Thread sleep count: 9330 > 30Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -10145709240540247s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1200000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1198454s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1195797s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1195640s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1195499s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1195373s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1195094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1194954s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1194797s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1194651s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1194531s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1194389s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1194179s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193949s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193794s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193641s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193511s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193363s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193250s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193140s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192992s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192824s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192713s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192589s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192356s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192249s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192047s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191934s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191811s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191641s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191501s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191375s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191262s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191156s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191030s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1190887s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1190751s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1190594s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1190468s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1190342s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99844s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99733s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99605s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99483s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99341s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99217s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99107s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -98998s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -98868s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -98763s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -98652s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -98542s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -98204s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -97954s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 1708Thread sleep time: -40023s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 5444Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 5152Thread sleep count: 9101 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -9223372036854770s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1200000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1199704s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1199500s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1199286s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1199172s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1199000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1198875s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1198703s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1198593s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1198469s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1198358s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1198156s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1197907s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1197750s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1197601s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1197407s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1197117s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196994s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196844s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196700s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196547s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196406s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196297s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196168s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196047s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1195859s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1195704s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1195547s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1195401s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1195250s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1195047s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1194907s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1194703s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1194578s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1194454s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1194250s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1194108s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1193954s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1193797s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1193657s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1193500s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1193387s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1193157s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99802s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99687s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99564s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99437s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99327s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99215s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99104s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -98993s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -98874s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -98764s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -98656s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4768Thread sleep time: -40023s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 3044Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 3332Thread sleep count: 9068 > 30
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -12912720851596678s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1200000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1199594s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1199335s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1199203s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1199000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1198782s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1198641s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1198391s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1198203s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1198047s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1197797s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1197671s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1197547s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1197406s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1197273s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1197126s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196983s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196797s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196688s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196547s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196432s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196264s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196094s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195852s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195724s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195594s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195484s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195326s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195196s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195047s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194919s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194797s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194641s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194500s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194370s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194203s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194088s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193953s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193843s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193700s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193541s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193391s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193250s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193101s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1192984s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1192837s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1192719s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1192610s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1192453s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -100000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99844s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99688s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99578s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99469s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99359s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99250s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99140s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99031s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98921s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98812s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98703s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98578s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98469s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98360s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98188s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98047s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1200000Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1198454Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195797Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195640Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195499Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195373Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195094Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194954Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194797Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194651Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194531Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194389Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194179Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193949Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193794Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193641Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193511Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193363Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193250Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193140Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192992Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192824Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192713Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192589Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192485Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192356Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192249Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192047Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191934Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191811Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191641Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191501Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191375Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191262Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191156Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191030Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190887Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190751Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190594Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190468Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190342Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1200000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199704Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199500Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199286Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199172Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198875Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198703Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198593Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198469Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198358Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198156Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197907Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197750Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197601Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197407Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197117Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196994Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196844Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196700Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196547Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196406Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196297Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196168Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196047Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195859Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195704Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195547Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195401Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195250Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195047Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194907Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194703Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194578Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194454Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194250Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194108Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193954Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193797Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193657Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193500Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193387Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193157Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1200000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199594
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199335
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199203
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198782
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198641
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198391
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198203
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198047
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197671
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197547
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197406
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197273
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197126
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196983
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196688
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196547
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196432
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196264
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196094
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195852
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195724
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195594
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195484
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195326
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195196
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195047
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194919
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194641
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194500
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194370
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194203
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194088
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193953
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193843
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193700
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193541
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193391
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193250
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193101
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192984
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192837
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192719
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192610
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192453
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWindow / User API: threadDelayed 9330Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWindow / User API: threadDelayed 9101Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWindow / User API: threadDelayed 9068
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 40023Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1200000Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1198454Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195797Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195640Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195499Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195373Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195094Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194954Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194797Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194651Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194531Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194389Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194179Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193949Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193794Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193641Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193511Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193363Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193250Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193140Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192992Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192824Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192713Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192589Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192485Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192356Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192249Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192047Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191934Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191811Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191641Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191501Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191375Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191262Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191156Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191030Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190887Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190751Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190594Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190468Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190342Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99844Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99733Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99605Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99483Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99341Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99217Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99107Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 98998Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 98868Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 98763Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 98652Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 98542Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 98204Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 97954Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 40023Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1200000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199704Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199500Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199286Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199172Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198875Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198703Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198593Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198469Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198358Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198156Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197907Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197750Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197601Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197407Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197117Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196994Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196844Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196700Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196547Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196406Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196297Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196168Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196047Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195859Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195704Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195547Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195401Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195250Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195047Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194907Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194703Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194578Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194454Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194250Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194108Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193954Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193797Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193657Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193500Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193387Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193157Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99802Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99687Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99564Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99437Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99327Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99215Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99104Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98993Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98874Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98764Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98656Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 40023Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1200000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199594
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199335
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199203
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198782
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198641
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198391
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198203
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198047
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197671
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197547
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197406
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197273
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197126
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196983
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196688
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196547
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196432
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196264
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196094
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195852
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195724
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195594
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195484
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195326
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195196
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195047
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194919
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194641
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194500
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194370
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194203
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194088
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193953
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193843
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193700
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193541
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193391
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193250
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193101
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192984
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192837
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192719
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192610
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192453
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 100000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99844
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99688
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99578
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99469
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99359
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99250
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99140
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99031
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98921
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98812
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98703
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98578
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98469
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98360
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98188
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98047
            Source: BKEDEaL.exe, 0000000C.00000003.350298559.0000000001018000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
            Source: CsTapHIkAO.exe, 00000001.00000003.308498234.0000000006BB8000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311226037.0000000006BBA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BB8000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006BB8000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320215817.0000000006BBA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.307858436.0000000006BB3000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.317796217.0000000006BB8000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312368092.0000000006BBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: BKEDEaL.exe, 0000000F.00000003.382899429.00000000010B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeMemory written: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess created: C:\Users\user\Desktop\CsTapHIkAO.exe C:\Users\user\Desktop\CsTapHIkAO.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Users\user\Desktop\CsTapHIkAO.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Users\user\Desktop\CsTapHIkAO.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_0179F6D0 GetUserNameW,1_2_0179F6D0
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.529011306.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.527812814.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CsTapHIkAO.exe PID: 4496, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: BKEDEaL.exe PID: 5316, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: BKEDEaL.exe PID: 5576, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
            Source: Yara matchFile source: 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CsTapHIkAO.exe PID: 4496, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: BKEDEaL.exe PID: 5316, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: BKEDEaL.exe PID: 5576, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.529011306.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.527812814.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CsTapHIkAO.exe PID: 4496, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: BKEDEaL.exe PID: 5316, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: BKEDEaL.exe PID: 5576, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts211
            Windows Management Instrumentation            		1
            Registry Run Keys / Startup Folder            		111
            Process Injection            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            Account Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Registry Run Keys / Startup Folder            		2
            Obfuscated Files or Information            		11
            Input Capture            		114
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		Exfiltration Over Bluetooth11
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
            Software Packing            		1
            Credentials in Registry            		1
            Query Registry            		SMB/Windows Admin Shares1
            Email Collection            		Automated Exfiltration1
            Non-Standard Port            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Masquerading            		NTDS211
            Security Software Discovery            		Distributed Component Object Model11
            Input Capture            		Scheduled Transfer2
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Modify Registry            		LSA Secrets1
            Process Discovery            		SSH1
            Clipboard Data            		Data Transfer Size Limits13
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common131
            Virtualization/Sandbox Evasion            		Cached Domain Credentials131
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items111
            Process Injection            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
            Hidden Files and Directories            		Proc Filesystem1
            System Owner/User Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
            Remote System Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
            System Network Configuration Discovery            		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 830842 Sample: CsTapHIkAO.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected AgentTesla 2->55 57 Machine Learning detection for sample 2->57 6 CsTapHIkAO.exe 3 2->6         started        10 BKEDEaL.exe 3 2->10         started        12 BKEDEaL.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\...\CsTapHIkAO.exe.log, ASCII 6->25 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->59 61 May check the online IP address of the machine 6->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->63 14 CsTapHIkAO.exe 17 10 6->14         started        65 Multi AV Scanner detection for dropped file 10->65 67 Machine Learning detection for dropped file 10->67 19 BKEDEaL.exe 14 7 10->19         started        69 Injects a PE file into a foreign processes 12->69 21 BKEDEaL.exe 12->21         started        23 BKEDEaL.exe 12->23         started        signatures5 process6 dnsIp7 31 api4.ipify.org 104.237.62.211, 443, 49700, 49705 WEBNXUS United States 14->31 33 mail.spjsv.ro 89.43.174.45, 26, 49701, 49704 CHROOTBucharestROMANIAEURO Romania 14->33 35 api.ipify.org 14->35 27 C:\Users\user\AppData\Roaming\...\BKEDEaL.exe, PE32 14->27 dropped 29 C:\Users\user\...\BKEDEaL.exe:Zone.Identifier, ASCII 14->29 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->43 45 Tries to steal Mail credentials (via file / registry access) 14->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->47 37 api.ipify.org 19->37 39 173.231.16.76, 443, 49707 WEBNXUS United States 21->39 41 api.ipify.org 21->41 49 Tries to harvest and steal browser information (history, passwords, etc) 21->49 51 Installs a global keyboard hook 21->51 file8 signatures9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            CsTapHIkAO.exe31%ReversingLabsByteCode-MSIL.Trojan.Generic
            CsTapHIkAO.exe41%VirustotalBrowse
            CsTapHIkAO.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe31%ReversingLabsByteCode-MSIL.Trojan.Generic
            C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe41%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            mail.spjsv.ro3%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
            http://www.e-me.lv/repository00%URL Reputationsafe
            http://www.acabogacia.org/doc00%URL Reputationsafe
            http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
            http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
            http://ocsp.suscerte.gob.ve00%URL Reputationsafe
            http://www.postsignum.cz/crl/psrootqca2.crl020%URL Reputationsafe
            http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
            http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
            http://www.chambersign.org10%URL Reputationsafe
            http://www.chambersign.org10%URL Reputationsafe
            http://www.suscerte.gob.ve/lcr0#0%URL Reputationsafe
            http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%URL Reputationsafe
            http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
            http://postsignum.ttc.cz/crl/psrootqca2.crl00%URL Reputationsafe
            http://postsignum.ttc.cz/crl/psrootqca2.crl00%URL Reputationsafe
            http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
            http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
            http://crl1.comsign.co.il/crl/comsignglobalrootca.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.suscerte.gob.ve/dpc00%URL Reputationsafe
            http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
            http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
            http://www.defence.gov.au/pki00%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sk.ee/cps/00%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://policy.camerfirma.com00%URL Reputationsafe
            http://www.ssc.lt/cps030%URL Reputationsafe
            http://www.ssc.lt/cps030%URL Reputationsafe
            http://ocsp.pki.gva.es00%URL Reputationsafe
            http://ocsp.pki.gva.es00%URL Reputationsafe
            http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?0%URL Reputationsafe
            http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?0%URL Reputationsafe
            http://ca.mtin.es/mtin/ocsp00%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
            http://web.ncdc.gov.sa/crl/nrcacomb1.crl00%URL Reputationsafe
            http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G0%URL Reputationsafe
            https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
            https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
            http://www.dnie.es/dpc00%URL Reputationsafe
            http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf00%URL Reputationsafe
            http://ca.mtin.es/mtin/DPCyPoliticas00%URL Reputationsafe
            http://www.globaltrust.info00%URL Reputationsafe
            http://www.globaltrust.info00%URL Reputationsafe
            http://www.certplus.com/CRL/class3TS.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class3TS.crl00%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://ac.economia.gob.mx/last.crl0G0%URL Reputationsafe
            https://www.catcert.net/verarrel0%URL Reputationsafe
            http://www.disig.sk/ca0f0%URL Reputationsafe
            http://www.sk.ee/juur/crl/00%URL Reputationsafe
            http://crl.chambersign.org/chambersignroot.crl00%URL Reputationsafe
            http://crl.chambersign.org/chambersignroot.crl00%URL Reputationsafe
            http://certs.oati.net/repository/OATICA2.crl00%URL Reputationsafe
            http://certs.oati.net/repository/OATICA2.crl00%URL Reputationsafe
            http://crl.oces.trust2408.com/oces.crl00%URL Reputationsafe
            http://crl.oces.trust2408.com/oces.crl00%URL Reputationsafe
            http://www.quovadis.bm00%URL Reputationsafe
            http://www.globaltrust.info0=0%Avira URL Cloudsafe
            http://crl.ssc.lt/root-a/cacrl.crl00%URL Reputationsafe
            http://certs.oaticerts.com/repository/OATICA2.crl0%URL Reputationsafe
            http://www.trustdst.com/certificates/policy/ACES-index.html00%URL Reputationsafe
            http://certs.oati.net/repository/OATICA2.crt00%URL Reputationsafe
            http://www.accv.es000%URL Reputationsafe
            http://www.pkioverheid.nl/policies/root-policy-G200%URL Reputationsafe
            https://www.netlock.net/docs0%URL Reputationsafe
            http://www.e-trust.be/CPS/QNcerts0%URL Reputationsafe
            http://ocsp.ncdc.gov.sa00%URL Reputationsafe
            http://fedir.comsign.co.il/crl/ComSignCA.crl00%URL Reputationsafe
            http://fedir.comsign.co.il/crl/ComSignCA.crl00%URL Reputationsafe
            http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl00%URL Reputationsafe
            http://web.ncdc.gov.sa/crl/nrcaparta1.crl0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;0%URL Reputationsafe
            http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;0%URL Reputationsafe
            https://repository.luxtrust.lu00%URL Reputationsafe
            http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
            http://www.acabogacia.org00%URL Reputationsafe
            http://www.acabogacia.org00%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.uce.gub.uy/acrn/acrn.crl00%URL Reputationsafe
            http://mail.spjsv.ro0%Avira URL Cloudsafe
            http://mail.spjsv.ro3%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            api4.ipify.org
            		104.237.62.211
            		truefalse
              		high
              mail.spjsv.ro
              		89.43.174.45
              		truefalseunknown
              api.ipify.org
              		unknown
              		unknownfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.certplus.com/CRL/class3.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.e-me.lv/repository0CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.acabogacia.org/doc0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.chambersign.org/chambersroot.crl0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://ocsp.suscerte.gob.ve0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.postsignum.cz/crl/psrootqca2.crl02CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.dhimyotis.com/certignarootca.crl0CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.chambersign.org1CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://repository.swisssign.com/0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.suscerte.gob.ve/lcr0#CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.ssc.lt/root-c/cacrl.crl0CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://postsignum.ttc.cz/crl/psrootqca2.crl0CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlCsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ca.disig.sk/ca/crl/ca_disig.crl0CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.certplus.com/CRL/class3P.crl0CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/cTheCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.suscerte.gob.ve/dpc0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.certeurope.fr/reference/root2.crl0CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BC4000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.certplus.com/CRL/class2.crl0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.disig.sk/ca/crl/ca_disig.crl0CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.defence.gov.au/pki0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sk.ee/cps/0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.globaltrust.info0=CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.anf.esCsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.urwpp.deDPleaseCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCsTapHIkAO.exe, 00000001.00000002.527846084.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://pki.registradores.org/normativa/index.htm0CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://cps.root-x1.letsencrypt.org0CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.374393467.0000000001015000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://policy.camerfirma.com0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.ssc.lt/cps03CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://ocsp.pki.gva.es0CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B71000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.anf.es/es/address-direccion.htmlCsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.anf.es/address/)1(0&CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://mail.spjsv.roCsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 3%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ca.mtin.es/mtin/ocsp0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://cps.letsencrypt.org0CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006B35000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.000000000655F000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://crl.ssc.lt/root-b/cacrl.crl0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://web.ncdc.gov.sa/crl/nrcacomb1.crl0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0GCsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://crl.pki.wellsfargo.com/wsprca.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://wwww.certigna.fr/autorites/0mCsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.dnie.es/dpc0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://ca.mtin.es/mtin/DPCyPoliticas0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.anf.es/AC/ANFServerCA.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.globaltrust.info0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://certificates.starfieldtech.com/repository/1604CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://acedicom.edicomgroup.com/doc0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.certplus.com/CRL/class3TS.crl0CsTapHIkAO.exe, 00000001.00000002.553832121.0000000007AD2000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://crl.anf.es/AC/ANFServerCA.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.carterandcone.comlCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.certeurope.fr/reference/pc-root2.pdf0CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ac.economia.gob.mx/last.crl0GCsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-jones.htmlCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.catcert.net/verarrelCsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.disig.sk/ca0fCsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.e-szigno.hu/RootCA.crlCsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.sk.ee/juur/crl/0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://crl.chambersign.org/chambersignroot.crl0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://certs.oati.net/repository/OATICA2.crl0CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://crl.oces.trust2408.com/oces.crl0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.quovadis.bm0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://eca.hinet.net/repository0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crl.ssc.lt/root-a/cacrl.crl0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://certs.oaticerts.com/repository/OATICA2.crlCsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.trustdst.com/certificates/policy/ACES-index.html0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://certs.oati.net/repository/OATICA2.crt0CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.accv.es00CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.pkioverheid.nl/policies/root-policy-G20CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B9F000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.netlock.net/docsCsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.e-trust.be/CPS/QNcertsCsTapHIkAO.exe, 00000001.00000003.311064572.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://ocsp.ncdc.gov.sa0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designersGCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://fedir.comsign.co.il/crl/ComSignCA.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/?CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B5B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://web.ncdc.gov.sa/crl/nrcaparta1.crlCsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.datev.de/zertifikat-policy-int0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cn/bTheCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers?CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://repository.luxtrust.lu0CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://cps.chambersign.org/cps/chambersroot.html0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.acabogacia.org0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://ocsp.eca.hinet.net/OCSP/ocspG2sha20CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.firmaprofesional.com/cps0CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.tiro.comCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.uce.gub.uy/acrn/acrn.crl0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        104.237.62.211
                                                                        		api4.ipify.orgUnited States
                                                                        		18450WEBNXUSfalse
                                                                        89.43.174.45
                                                                        		mail.spjsv.roRomania
                                                                        		56430CHROOTBucharestROMANIAEUROfalse
                                                                        173.231.16.76
                                                                        		unknownUnited States
                                                                        		18450WEBNXUSfalse

                                                                        General Information

                                                                        Joe Sandbox Version:37.0.0 Beryl
                                                                        Analysis ID:830842
                                                                        Start date and time:2023-03-20 18:26:16 +01:00
                                                                        Joe Sandbox Product:CloudBasic
                                                                        Overall analysis duration:0h 10m 0s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                        Number of analysed new started processes analysed:18
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • HDC enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample file name:CsTapHIkAO.exe
                                                                        Original Sample Name:fc7ad54f4f2e785ad748d952945cc888.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.evad.winEXE@11/9@12/3
                                                                        EGA Information:
                                                                        • Successful, ratio: 100%
                                                                        HDC Information:Failed
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 75
                                                                        • Number of non-executed functions: 3
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 23.10.249.161, 23.10.249.147, 8.238.191.126, 8.238.88.254, 8.238.189.126, 8.238.88.248, 8.238.85.126, 209.197.3.8
                                                                        • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        18:27:19API Interceptor750x Sleep call for process: CsTapHIkAO.exe modified
                                                                        18:27:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BKEDEaL C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        18:27:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BKEDEaL C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        18:27:42API Interceptor1099x Sleep call for process: BKEDEaL.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        104.237.62.211cotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                          DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                              PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                    IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                        main.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                          EPe7VpI8DZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            YWombrpvpG.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              VCO00IddkzE1Fea.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                Parts.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  ARRIVAL_NOTICE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      Dn4GujmGOF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        XOuNd4W6e6.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          Inv-67383728 [Reference Nr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            Attachment.zipGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                              yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                89.43.174.45V9hBN9tW4H.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                    REQUEST FOR QUOTATION.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      VSvhnWEKx73w8nP.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                        SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.15560.606.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          SecuriteInfo.com.Win32.PWSX-gen.9526.15635.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            queen elizerbeth best flower.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              odikwa egu.exeGet hashmaliciousAgentTesla, AsyncRATBrowse
                                                                                                                                SecuriteInfo.com.Variant.Lazy.241206.11532.13097.exeGet hashmaliciousAgentTesla, AsyncRATBrowse
                                                                                                                                  YOUR MASTURBATING VIDEOS.exeGet hashmaliciousAgentTesla, AsyncRATBrowse
                                                                                                                                    SWIFT.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                      USD INV.08192022.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                        Payment Copy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          #U56de#U590d#Uff1a#U63a1#U8cfc#U8a02#U55ae (PO_22-4556-1472_REV00).exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                            Nonfeelingly.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                              SecuriteInfo.com.Trojan.Olock.1.17407.exeGet hashmaliciousAgentTeslaBrowse

                                                                                                                                                Domains

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                api4.ipify.orgcotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 64.185.227.155
                                                                                                                                                FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 64.185.227.155
                                                                                                                                                DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                TT_copy.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 64.185.227.155
                                                                                                                                                PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 64.185.227.155
                                                                                                                                                2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 64.185.227.155
                                                                                                                                                FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                main.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                Purchase_Order-0823636.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 64.185.227.155

                                                                                                                                                ASNs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                WEBNXUScotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 64.185.227.155
                                                                                                                                                FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 64.185.227.155
                                                                                                                                                DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                TT_copy.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 64.185.227.155
                                                                                                                                                PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 64.185.227.155
                                                                                                                                                2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 64.185.227.155
                                                                                                                                                FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                main.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                                                                                • 173.231.16.76
                                                                                                                                                Purchase_Order-0823636.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 64.185.227.155

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                3b5074b1b5d032e5620f69f9f700ff0ecotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                Payment Invoice file.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                Budget plan 2023.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                setup.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                Payment Invoice 0012657.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76
                                                                                                                                                IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 104.237.62.211
                                                                                                                                                • 173.231.16.76

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                                                                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):62582
                                                                                                                                                Entropy (8bit):7.996063107774368
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
                                                                                                                                                MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
                                                                                                                                                SHA1:0C110C1B01E68EDFACAEAE64781A37B1995FA94B
                                                                                                                                                SHA-256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
                                                                                                                                                SHA-512:B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k...*.Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G|.*[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

                                                                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):328
                                                                                                                                                Entropy (8bit):3.1335351732898324
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:kKLFGry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:8CvkPlE99SNxAhUext
                                                                                                                                                MD5:8F9C6E370F1D7C5E4C781D6EB5CA40B6
                                                                                                                                                SHA1:F1481D2A7389EF1EA5BBABCEB9EB68E003EF0F7F
                                                                                                                                                SHA-256:8756E1D44F7190F0AC920D89A89F3A59F31E31C7AD4725C62E5806683B6B76D9
                                                                                                                                                SHA-512:E836FE0C57DF529A59CE06BB8E7797B82F587ED9C34E88FD2CC44BC81105C81BB2C5D21B8BEEABF7C05A359B7C1B088DD09BF5C4298ADB9007F1BDB755AA8424
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:p...... ..........`M.\..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BKEDEaL.exe.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1216
                                                                                                                                                Entropy (8bit):5.355304211458859
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CsTapHIkAO.exe.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1216
                                                                                                                                                Entropy (8bit):5.355304211458859
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                                                                                C:\Users\user\AppData\Roaming\3rtvr542.vzr\Chrome\Default\Network\Cookies

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):28672
                                                                                                                                                Entropy (8bit):1.4755077381471955
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
                                                                                                                                                MD5:DEE86123FE48584BA0CE07793E703560
                                                                                                                                                SHA1:E80D87A2E55A95BC937AC24525E51AE39D635EF7
                                                                                                                                                SHA-256:60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
                                                                                                                                                SHA-512:65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):752128
                                                                                                                                                Entropy (8bit):7.860252795159179
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:J5lmYMUnFW/NDMsa/S5MZJ+1ghNBtVyML3H1vY/ADhm1of1OWHBP/28dEQvYbow:J5lUVMsyS50vXV3Fvqx1vWHJ/28dh5
                                                                                                                                                MD5:FC7AD54F4F2E785AD748D952945CC888
                                                                                                                                                SHA1:890AB6267DA79E151B8C42E9F7F6A19D59A0EB4A
                                                                                                                                                SHA-256:745334EBCF459EC748D00EAF3BCB94045CEBDD6275ACA548255C1C922F0F9D9D
                                                                                                                                                SHA-512:63D3BD6456259FC7CC34086ED24C46D0B9B59A124D3431CC22C192A868E6157C130D79796EBF240FF23AEF66E6D312BBE778BFB3692A1B6ED6D087BF479C0B0B
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 31%
                                                                                                                                                • Antivirus: Virustotal, Detection: 41%, Browse
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..............0..d............... ........@.. ....................................@.................................3...O................................... n..T............................................ ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............x..............@..B................g.......H.......@V...1......"....................................................0..R..........4...%..{....{L....%.r...p.%..|....(.....%.r...p.%..{.....X...(.....(.......+..*...0..&..........{........,...{.....+....{....Z.+..*".(.....*..0..z..............}...........}......}.....(.......(......{.....s!...%.d}M...%r!..p}L...%.{....}P...%.{....}O.....{.....s!...%.d}M...%r)..p}L...%.{....}P...%.{....}O.....{.....s!...%.d}M...%r1..p}L...%.{....}P...%.{....}O......{.......+........o....&.

                                                                                                                                                C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe:Zone.Identifier

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):26
                                                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                C:\Users\user\AppData\Roaming\d210uggn.oho\Chrome\Default\Network\Cookies

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):28672
                                                                                                                                                Entropy (8bit):1.4755077381471955
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
                                                                                                                                                MD5:DEE86123FE48584BA0CE07793E703560
                                                                                                                                                SHA1:E80D87A2E55A95BC937AC24525E51AE39D635EF7
                                                                                                                                                SHA-256:60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
                                                                                                                                                SHA-512:65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\tgixmeao.ntk\Chrome\Default\Network\Cookies

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):28672
                                                                                                                                                Entropy (8bit):1.4755077381471955
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
                                                                                                                                                MD5:DEE86123FE48584BA0CE07793E703560
                                                                                                                                                SHA1:E80D87A2E55A95BC937AC24525E51AE39D635EF7
                                                                                                                                                SHA-256:60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
                                                                                                                                                SHA-512:65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Entropy (8bit):7.860252795159179
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                File name:CsTapHIkAO.exe
                                                                                                                                                File size:752128
                                                                                                                                                MD5:fc7ad54f4f2e785ad748d952945cc888
                                                                                                                                                SHA1:890ab6267da79e151b8c42e9f7f6a19d59a0eb4a
                                                                                                                                                SHA256:745334ebcf459ec748d00eaf3bcb94045cebdd6275aca548255c1c922f0f9d9d
                                                                                                                                                SHA512:63d3bd6456259fc7cc34086ed24c46d0b9b59a124d3431cc22c192a868e6157c130d79796ebf240ff23aef66e6d312bbe778bfb3692a1b6ed6d087bf479c0b0b
                                                                                                                                                SSDEEP:12288:J5lmYMUnFW/NDMsa/S5MZJ+1ghNBtVyML3H1vY/ADhm1of1OWHBP/28dEQvYbow:J5lUVMsyS50vXV3Fvqx1vWHJ/28dh5
                                                                                                                                                TLSH:63F402382F9B4236F53257BD85E02680677E77B36723D95D04B121CE5BB37029AD0A2B
                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..............0..d............... ........@.. ....................................@................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:209480e66eb84902

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x4b8286
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:false
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                Time Stamp:0x6417BEAA [Mon Mar 20 02:02:18 2023 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb82330x4f.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x1110.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xbc0000xc.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xb6e200x54.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x20000xb628c0xb6400False0.9273874206961591data7.86900119148787IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0xba0000x11100x1200False0.7306857638888888data6.633755365364255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .reloc0xbc0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                Resources

                                                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                                                RT_ICON0xba1000xa79PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                                                RT_GROUP_ICON0xbab8c0x14data
                                                                                                                                                RT_VERSION0xbabb00x360data
                                                                                                                                                RT_MANIFEST0xbaf200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                Network Behavior

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Mar 20, 2023 18:27:23.942231894 CET49700443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:23.942292929 CET44349700104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:23.942411900 CET49700443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:24.007399082 CET49700443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:24.007443905 CET44349700104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:24.728410959 CET44349700104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:24.728621006 CET49700443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:24.732671022 CET49700443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:24.732700109 CET44349700104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:24.733073950 CET44349700104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:24.861732006 CET49700443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:25.112267017 CET49700443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:25.112309933 CET44349700104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:25.280256033 CET44349700104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:25.280361891 CET44349700104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:25.280431032 CET49700443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:25.281380892 CET49700443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:37.027848005 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:37.067028046 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:37.067150116 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:37.512274981 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:37.513009071 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:37.551852942 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:37.552182913 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:37.592528105 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:37.593195915 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:37.638087988 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:37.638134956 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:37.638170004 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:37.638186932 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:37.638231993 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:37.638274908 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:37.638979912 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:37.663780928 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:37.702769995 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:37.862869024 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:41.386651039 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:41.425951958 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:41.441111088 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:41.482404947 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:41.482830048 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:41.579770088 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:43.337220907 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:43.337676048 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:43.376271963 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:43.376332045 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:43.377685070 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:43.377856016 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:43.417109013 CET4970126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:43.463438034 CET264970189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:44.121768951 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:44.160450935 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:44.160610914 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:44.230684996 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:44.230947971 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:44.269793987 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:44.270059109 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:44.310445070 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:44.310969114 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:44.357144117 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:44.357218981 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:44.357255936 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:44.357301950 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:44.357319117 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:44.357460976 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:44.360599995 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:44.401413918 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:44.457210064 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:45.016462088 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:45.059911013 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:45.060256958 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:45.149873972 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:49.103950977 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:49.160787106 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:49.894712925 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:49.933489084 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:51.441457033 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:51.441847086 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:51.480488062 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:51.480618954 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:51.481302977 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:51.481391907 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:51.481463909 CET4970426192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:27:51.519972086 CET264970489.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:51.623965025 CET49705443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:51.624037027 CET44349705104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:51.624146938 CET49705443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:51.643871069 CET49705443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:51.643932104 CET44349705104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:52.333190918 CET44349705104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:52.333317995 CET49705443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:52.340928078 CET49705443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:52.340950966 CET44349705104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:52.341305017 CET44349705104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:52.546730042 CET44349705104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:52.546859026 CET49705443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:52.847053051 CET49705443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:52.847134113 CET44349705104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:53.015525103 CET44349705104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:53.015774965 CET44349705104.237.62.211192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:53.015933037 CET49705443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:27:53.016652107 CET49705443192.168.2.3104.237.62.211
                                                                                                                                                Mar 20, 2023 18:28:02.120311975 CET49707443192.168.2.3173.231.16.76
                                                                                                                                                Mar 20, 2023 18:28:02.120373964 CET44349707173.231.16.76192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:02.120476007 CET49707443192.168.2.3173.231.16.76
                                                                                                                                                Mar 20, 2023 18:28:02.138860941 CET49707443192.168.2.3173.231.16.76
                                                                                                                                                Mar 20, 2023 18:28:02.138900042 CET44349707173.231.16.76192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.045269012 CET4970826192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:04.083992958 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.084135056 CET4970826192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:04.154299974 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.154848099 CET4970826192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:04.193881989 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.198215008 CET4970826192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:04.238132954 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.239834070 CET4970826192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:04.282151937 CET44349707173.231.16.76192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.282305956 CET49707443192.168.2.3173.231.16.76
                                                                                                                                                Mar 20, 2023 18:28:04.284396887 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.284462929 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.284487009 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.284502983 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.284671068 CET4970826192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:04.285130024 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.285819054 CET49707443192.168.2.3173.231.16.76
                                                                                                                                                Mar 20, 2023 18:28:04.285845995 CET44349707173.231.16.76192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.286477089 CET44349707173.231.16.76192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.292459011 CET4970826192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:04.331583023 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.365210056 CET49707443192.168.2.3173.231.16.76
                                                                                                                                                Mar 20, 2023 18:28:04.366403103 CET4970826192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:04.406229019 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.406701088 CET4970826192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:04.446005106 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.446566105 CET4970826192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:04.526494980 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.644345999 CET49707443192.168.2.3173.231.16.76
                                                                                                                                                Mar 20, 2023 18:28:04.644398928 CET44349707173.231.16.76192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.801584005 CET44349707173.231.16.76192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.801697969 CET44349707173.231.16.76192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.801820993 CET49707443192.168.2.3173.231.16.76
                                                                                                                                                Mar 20, 2023 18:28:04.805942059 CET49707443192.168.2.3173.231.16.76
                                                                                                                                                Mar 20, 2023 18:28:06.493074894 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:06.505114079 CET4970826192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:06.543848038 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:06.543960094 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:06.544929981 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:06.545011044 CET4970826192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:06.545455933 CET4970826192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:06.583900928 CET264970889.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:10.822398901 CET4970926192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:10.860876083 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:10.860996962 CET4970926192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:10.930048943 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:10.930246115 CET4970926192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:10.969022036 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:10.969528913 CET4970926192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:11.009428978 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:11.012852907 CET4970926192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:11.058933973 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:11.058974028 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:11.058990955 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:11.059001923 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:11.059170961 CET4970926192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:11.060693026 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:11.064091921 CET4970926192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:11.102853060 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:11.104301929 CET4970926192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:11.142829895 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:11.143229008 CET4970926192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:11.182323933 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:11.182776928 CET4970926192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:11.260541916 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:13.229655981 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:13.229990959 CET4970926192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:13.268556118 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:13.268589973 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:13.269272089 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:13.269371033 CET4970926192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:13.270595074 CET4970926192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:13.307816982 CET264970989.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:17.890398979 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:17.928930044 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:17.929117918 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:18.000031948 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:18.000565052 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:18.039458036 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:18.039834976 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:18.079936028 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:18.080740929 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:18.125013113 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:18.125061989 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:18.125080109 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:18.125097036 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:18.125215054 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:18.125286102 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:18.126203060 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:18.131092072 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:18.170020103 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:18.191821098 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:18.230910063 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:18.231492043 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:18.271054983 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:18.271847963 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:18.351650000 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:20.317090034 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:20.317533970 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:20.356036901 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:20.356086016 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:20.356837034 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:20.356920004 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:20.357425928 CET4971026192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:20.395872116 CET264971089.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.206346989 CET4971126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:21.245130062 CET264971189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.249429941 CET4971126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:21.317908049 CET264971189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.320625067 CET4971126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:21.359533072 CET264971189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.360016108 CET4971126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:21.400409937 CET264971189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.400959015 CET4971126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:21.445550919 CET264971189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.445596933 CET264971189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.445624113 CET264971189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.445648909 CET264971189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.445708036 CET4971126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:21.445746899 CET4971126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:21.446974039 CET264971189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.449960947 CET4971126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:21.488542080 CET264971189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.489959002 CET4971126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:21.528502941 CET264971189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.529032946 CET4971126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:21.568456888 CET264971189.43.174.45192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.569087029 CET4971126192.168.2.389.43.174.45
                                                                                                                                                Mar 20, 2023 18:28:21.647572994 CET264971189.43.174.45192.168.2.3

                                                                                                                                                UDP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Mar 20, 2023 18:27:23.871232986 CET5892153192.168.2.38.8.8.8
                                                                                                                                                Mar 20, 2023 18:27:23.894016027 CET53589218.8.8.8192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:23.903903961 CET6270453192.168.2.38.8.8.8
                                                                                                                                                Mar 20, 2023 18:27:23.925348997 CET53627048.8.8.8192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:36.987834930 CET4997753192.168.2.38.8.8.8
                                                                                                                                                Mar 20, 2023 18:27:37.013712883 CET53499778.8.8.8192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:44.058130026 CET5238753192.168.2.38.8.8.8
                                                                                                                                                Mar 20, 2023 18:27:44.120850086 CET53523878.8.8.8192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:51.552333117 CET5692453192.168.2.38.8.8.8
                                                                                                                                                Mar 20, 2023 18:27:51.573849916 CET53569248.8.8.8192.168.2.3
                                                                                                                                                Mar 20, 2023 18:27:51.584722996 CET6062553192.168.2.38.8.8.8
                                                                                                                                                Mar 20, 2023 18:27:51.604175091 CET53606258.8.8.8192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:02.055280924 CET5397553192.168.2.38.8.8.8
                                                                                                                                                Mar 20, 2023 18:28:02.074980974 CET53539758.8.8.8192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:02.082792044 CET5113953192.168.2.38.8.8.8
                                                                                                                                                Mar 20, 2023 18:28:02.102576971 CET53511398.8.8.8192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:04.026057005 CET5295553192.168.2.38.8.8.8
                                                                                                                                                Mar 20, 2023 18:28:04.043845892 CET53529558.8.8.8192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:10.749948025 CET6058253192.168.2.38.8.8.8
                                                                                                                                                Mar 20, 2023 18:28:10.813093901 CET53605828.8.8.8192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:17.866210938 CET5713453192.168.2.38.8.8.8
                                                                                                                                                Mar 20, 2023 18:28:17.888845921 CET53571348.8.8.8192.168.2.3
                                                                                                                                                Mar 20, 2023 18:28:21.180830956 CET6205053192.168.2.38.8.8.8
                                                                                                                                                Mar 20, 2023 18:28:21.199157953 CET53620508.8.8.8192.168.2.3

                                                                                                                                                DNS Queries

                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                Mar 20, 2023 18:27:23.871232986 CET192.168.2.38.8.8.80x1edcStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:23.903903961 CET192.168.2.38.8.8.80xf875Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:36.987834930 CET192.168.2.38.8.8.80x9ffeStandard query (0)mail.spjsv.roA (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:44.058130026 CET192.168.2.38.8.8.80x311bStandard query (0)mail.spjsv.roA (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:51.552333117 CET192.168.2.38.8.8.80xfae1Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:51.584722996 CET192.168.2.38.8.8.80x6f39Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:02.055280924 CET192.168.2.38.8.8.80xf9fdStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:02.082792044 CET192.168.2.38.8.8.80x378aStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:04.026057005 CET192.168.2.38.8.8.80x68f6Standard query (0)mail.spjsv.roA (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:10.749948025 CET192.168.2.38.8.8.80x6279Standard query (0)mail.spjsv.roA (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:17.866210938 CET192.168.2.38.8.8.80x1001Standard query (0)mail.spjsv.roA (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:21.180830956 CET192.168.2.38.8.8.80x6fbbStandard query (0)mail.spjsv.roA (IP address)IN (0x0001)false

                                                                                                                                                DNS Answers

                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                Mar 20, 2023 18:27:23.894016027 CET8.8.8.8192.168.2.30x1edcNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:23.894016027 CET8.8.8.8192.168.2.30x1edcNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:23.894016027 CET8.8.8.8192.168.2.30x1edcNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:23.894016027 CET8.8.8.8192.168.2.30x1edcNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:23.925348997 CET8.8.8.8192.168.2.30xf875No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:23.925348997 CET8.8.8.8192.168.2.30xf875No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:23.925348997 CET8.8.8.8192.168.2.30xf875No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:23.925348997 CET8.8.8.8192.168.2.30xf875No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:37.013712883 CET8.8.8.8192.168.2.30x9ffeNo error (0)mail.spjsv.ro89.43.174.45A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:44.120850086 CET8.8.8.8192.168.2.30x311bNo error (0)mail.spjsv.ro89.43.174.45A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:51.573849916 CET8.8.8.8192.168.2.30xfae1No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:51.573849916 CET8.8.8.8192.168.2.30xfae1No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:51.573849916 CET8.8.8.8192.168.2.30xfae1No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:51.573849916 CET8.8.8.8192.168.2.30xfae1No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:51.604175091 CET8.8.8.8192.168.2.30x6f39No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:51.604175091 CET8.8.8.8192.168.2.30x6f39No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:51.604175091 CET8.8.8.8192.168.2.30x6f39No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:27:51.604175091 CET8.8.8.8192.168.2.30x6f39No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:02.074980974 CET8.8.8.8192.168.2.30xf9fdNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:02.074980974 CET8.8.8.8192.168.2.30xf9fdNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:02.074980974 CET8.8.8.8192.168.2.30xf9fdNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:02.074980974 CET8.8.8.8192.168.2.30xf9fdNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:02.102576971 CET8.8.8.8192.168.2.30x378aNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:02.102576971 CET8.8.8.8192.168.2.30x378aNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:02.102576971 CET8.8.8.8192.168.2.30x378aNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:02.102576971 CET8.8.8.8192.168.2.30x378aNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:04.043845892 CET8.8.8.8192.168.2.30x68f6No error (0)mail.spjsv.ro89.43.174.45A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:10.813093901 CET8.8.8.8192.168.2.30x6279No error (0)mail.spjsv.ro89.43.174.45A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:17.888845921 CET8.8.8.8192.168.2.30x1001No error (0)mail.spjsv.ro89.43.174.45A (IP address)IN (0x0001)false
                                                                                                                                                Mar 20, 2023 18:28:21.199157953 CET8.8.8.8192.168.2.30x6fbbNo error (0)mail.spjsv.ro89.43.174.45A (IP address)IN (0x0001)false

                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                • api.ipify.org

                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                0192.168.2.349700104.237.62.211443C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                2023-03-20 17:27:25 UTC0OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                                                Host: api.ipify.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                2023-03-20 17:27:25 UTC0INHTTP/1.1 200 OK
                                                                                                                                                Content-Length: 14
                                                                                                                                                Content-Type: text/plain
                                                                                                                                                Date: Mon, 20 Mar 2023 17:27:25 GMT
                                                                                                                                                Vary: Origin
                                                                                                                                                Connection: close
                                                                                                                                                2023-03-20 17:27:25 UTC0INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38
                                                                                                                                                Data Ascii: 102.129.143.78


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                1192.168.2.349705104.237.62.211443C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                2023-03-20 17:27:52 UTC0OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                                                Host: api.ipify.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                2023-03-20 17:27:53 UTC0INHTTP/1.1 200 OK
                                                                                                                                                Content-Length: 14
                                                                                                                                                Content-Type: text/plain
                                                                                                                                                Date: Mon, 20 Mar 2023 17:27:52 GMT
                                                                                                                                                Vary: Origin
                                                                                                                                                Connection: close
                                                                                                                                                2023-03-20 17:27:53 UTC0INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38
                                                                                                                                                Data Ascii: 102.129.143.78


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                2192.168.2.349707173.231.16.76443C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                2023-03-20 17:28:04 UTC0OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                                                Host: api.ipify.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                2023-03-20 17:28:04 UTC0INHTTP/1.1 200 OK
                                                                                                                                                Content-Length: 14
                                                                                                                                                Content-Type: text/plain
                                                                                                                                                Date: Mon, 20 Mar 2023 17:28:04 GMT
                                                                                                                                                Vary: Origin
                                                                                                                                                Connection: close
                                                                                                                                                2023-03-20 17:28:04 UTC0INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38
                                                                                                                                                Data Ascii: 102.129.143.78


                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:0
                                                                                                                                                Start time:18:27:12
                                                                                                                                                Start date:20/03/2023
                                                                                                                                                Path:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                                                                                                Imagebase:0x650000
                                                                                                                                                File size:752128 bytes
                                                                                                                                                MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                Reputation:low

                                                                                                                                                General

                                                                                                                                                Target ID:1
                                                                                                                                                Start time:18:27:21
                                                                                                                                                Start date:20/03/2023
                                                                                                                                                Path:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                                                                                                Imagebase:0xd60000
                                                                                                                                                File size:752128 bytes
                                                                                                                                                MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low

                                                                                                                                                General

                                                                                                                                                Target ID:11
                                                                                                                                                Start time:18:27:39
                                                                                                                                                Start date:20/03/2023
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe"
                                                                                                                                                Imagebase:0x110000
                                                                                                                                                File size:752128 bytes
                                                                                                                                                MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                Antivirus matches:
                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                • Detection: 31%, ReversingLabs
                                                                                                                                                • Detection: 41%, Virustotal, Browse
                                                                                                                                                Reputation:low

                                                                                                                                                General

                                                                                                                                                Target ID:12
                                                                                                                                                Start time:18:27:45
                                                                                                                                                Start date:20/03/2023
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                                                                                                Imagebase:0x790000
                                                                                                                                                File size:752128 bytes
                                                                                                                                                MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.529011306.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low

                                                                                                                                                General

                                                                                                                                                Target ID:13
                                                                                                                                                Start time:18:27:48
                                                                                                                                                Start date:20/03/2023
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe"
                                                                                                                                                Imagebase:0x9e0000
                                                                                                                                                File size:752128 bytes
                                                                                                                                                MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                Reputation:low

                                                                                                                                                General

                                                                                                                                                Target ID:14
                                                                                                                                                Start time:18:27:58
                                                                                                                                                Start date:20/03/2023
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                                                                                                Imagebase:0x7ff651c80000
                                                                                                                                                File size:752128 bytes
                                                                                                                                                MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:low

                                                                                                                                                General

                                                                                                                                                Target ID:15
                                                                                                                                                Start time:18:27:58
                                                                                                                                                Start date:20/03/2023
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                                                                                                Imagebase:0x960000
                                                                                                                                                File size:752128 bytes
                                                                                                                                                MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.527812814.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:8.5%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                  Total number of Nodes:96
                                                                                                                                                  Total number of Limit Nodes:5
                                                                                                                                                  execution_graph 13868 10ac310 GetCurrentProcess 13869 10ac38a GetCurrentThread 13868->13869 13870 10ac383 13868->13870 13871 10ac3c0 13869->13871 13872 10ac3c7 GetCurrentProcess 13869->13872 13870->13869 13871->13872 13873 10ac3fd 13872->13873 13874 10ac425 GetCurrentThreadId 13873->13874 13875 10ac456 13874->13875 13876 10ac940 DuplicateHandle 13877 10ac9d6 13876->13877 13878 10a40d0 13879 10a40e2 13878->13879 13880 10a40ee 13879->13880 13884 10a41e0 13879->13884 13889 10a3c64 13880->13889 13882 10a410d 13885 10a4205 13884->13885 13893 10a42e0 13885->13893 13897 10a42d0 13885->13897 13890 10a3c6f 13889->13890 13905 10a51a4 13890->13905 13892 10a7241 13892->13882 13894 10a4307 13893->13894 13895 10a43e4 13894->13895 13901 10a3de8 13894->13901 13898 10a4307 13897->13898 13899 10a3de8 CreateActCtxA 13898->13899 13900 10a43e4 13898->13900 13899->13900 13902 10a5370 CreateActCtxA 13901->13902 13904 10a5433 13902->13904 13906 10a51af 13905->13906 13909 10a6dc0 13906->13909 13908 10a784d 13908->13892 13910 10a6dcb 13909->13910 13913 10a6df0 13910->13913 13912 10a7922 13912->13908 13914 10a6dfb 13913->13914 13917 10a6e20 13914->13917 13916 10a7a22 13916->13912 13918 10a6e2b 13917->13918 13920 10a813e 13918->13920 13923 10a9ef8 13918->13923 13919 10a817c 13919->13916 13920->13919 13928 10ac038 13920->13928 13924 10a9efd 13923->13924 13933 10a9f20 13924->13933 13938 10a9f30 13924->13938 13925 10a9f0e 13925->13920 13929 10ac069 13928->13929 13930 10ac08d 13929->13930 13961 10ac1e8 13929->13961 13965 10ac1f8 13929->13965 13930->13919 13934 10a9ef1 13933->13934 13935 10a9f2e 13933->13935 13934->13925 13941 10aa028 13935->13941 13936 10a9f3f 13936->13925 13940 10aa028 2 API calls 13938->13940 13939 10a9f3f 13939->13925 13940->13939 13942 10aa03b 13941->13942 13943 10aa053 13942->13943 13949 10aa2a0 13942->13949 13953 10aa2b0 13942->13953 13943->13936 13944 10aa04b 13944->13943 13945 10aa250 GetModuleHandleW 13944->13945 13946 10aa27d 13945->13946 13946->13936 13950 10aa2c4 13949->13950 13952 10aa2e9 13950->13952 13957 10a93d8 13950->13957 13952->13944 13954 10aa2c4 13953->13954 13955 10aa2e9 13954->13955 13956 10a93d8 LoadLibraryExW 13954->13956 13955->13944 13956->13955 13958 10aa490 LoadLibraryExW 13957->13958 13960 10aa509 13958->13960 13960->13952 13962 10ac205 13961->13962 13963 10ac23f 13962->13963 13969 10aa9c4 13962->13969 13963->13930 13966 10ac205 13965->13966 13967 10ac23f 13966->13967 13968 10aa9c4 2 API calls 13966->13968 13967->13930 13968->13967 13970 10aa9cf 13969->13970 13972 10acf38 13970->13972 13973 10ac574 13970->13973 13972->13972 13974 10ac57f 13973->13974 13975 10a6e20 2 API calls 13974->13975 13976 10acfa7 13975->13976 13980 10aed30 13976->13980 13985 10aed18 13976->13985 13977 10acfe0 13977->13972 13982 10aed3c 13980->13982 13981 10aecfa 13981->13977 13982->13981 13983 10af19f LoadLibraryExW GetModuleHandleW 13982->13983 13984 10af1b0 LoadLibraryExW GetModuleHandleW 13982->13984 13983->13981 13984->13981 13986 10aed23 13985->13986 13987 10aecfa 13986->13987 13988 10af19f LoadLibraryExW GetModuleHandleW 13986->13988 13989 10af1b0 LoadLibraryExW GetModuleHandleW 13986->13989 13987->13977 13988->13987 13989->13987

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 010AC300 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 010AC370
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 010AC3AD
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 010AC3EA
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 010AC443
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273368063.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_10a0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                  • Opcode ID: bc8e2242590103b18726f8e7cf8efad876728421424ea92b778be85ee805f1ed
                                                                                                                                                  • Instruction ID: 18ba570ef25ca7568fe32030ddc1342df368715a79594c08058cbedbdb922937
                                                                                                                                                  • Opcode Fuzzy Hash: bc8e2242590103b18726f8e7cf8efad876728421424ea92b778be85ee805f1ed
                                                                                                                                                  • Instruction Fuzzy Hash: EF5144B09002498FDB14CFAAD6487EEBFF0AF49314F248499E549B7290DB349984CF66
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 010AC310 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 010AC370
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 010AC3AD
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 010AC3EA
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 010AC443
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273368063.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_10a0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                  • Opcode ID: 61e9d35ec30efd76bb3888f4a63243aa10de35247fb14fddb9254b41a1b50fcf
                                                                                                                                                  • Instruction ID: e1cb2df928fb103675605815023293e737a602b7dbc939ee08ced9b109bec9e1
                                                                                                                                                  • Opcode Fuzzy Hash: 61e9d35ec30efd76bb3888f4a63243aa10de35247fb14fddb9254b41a1b50fcf
                                                                                                                                                  • Instruction Fuzzy Hash: 155125B09006498FDB14CFAAD648BAEBFF0BF49314F24C459E549B7250DB349984CF66
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 010AA028 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 010AA26E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273368063.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_10a0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: ae565a531fc8bdbbb711fb9c715e19f31474a410cce15f1f00821d2407ef8cb2
                                                                                                                                                  • Instruction ID: 113305a813d5db83c844b5f6715e131c1cd55bae8919b0fa5d6e554f72a64715
                                                                                                                                                  • Opcode Fuzzy Hash: ae565a531fc8bdbbb711fb9c715e19f31474a410cce15f1f00821d2407ef8cb2
                                                                                                                                                  • Instruction Fuzzy Hash: 88713570A00B059FDB64DFAAC45179ABBF1BF88344F40892DD48AD7A90DB35E846CF91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 010A5364 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 96 10a5364-10a5431 CreateActCtxA 98 10a543a-10a5494 96->98 99 10a5433-10a5439 96->99 106 10a54a3-10a54a7 98->106 107 10a5496-10a5499 98->107 99->98 108 10a54b8 106->108 109 10a54a9-10a54b5 106->109 107->106 111 10a54b9 108->111 109->108 111->111
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 010A5421
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273368063.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_10a0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: 6ee1163b8d2c712fd62891971bea28291df44f8290b14058d6b27db5575cf49e
                                                                                                                                                  • Instruction ID: 0bde0f02f842714266e6b67f38fa7e04ba20e594195fd9c29a9b72eb8d652398
                                                                                                                                                  • Opcode Fuzzy Hash: 6ee1163b8d2c712fd62891971bea28291df44f8290b14058d6b27db5575cf49e
                                                                                                                                                  • Instruction Fuzzy Hash: 6F41F371D00218CEDF14CFAAC9447DEBBF5BF49308F648069D419AB250DB75594ACF91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 010A3DE8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 112 10a3de8-10a5431 CreateActCtxA 115 10a543a-10a5494 112->115 116 10a5433-10a5439 112->116 123 10a54a3-10a54a7 115->123 124 10a5496-10a5499 115->124 116->115 125 10a54b8 123->125 126 10a54a9-10a54b5 123->126 124->123 128 10a54b9 125->128 126->125 128->128
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 010A5421
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273368063.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_10a0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: d4d294fcb97585bfb49fc5a14d393a70a69c8c9af25e7b0388cbb9dd3ea48b8f
                                                                                                                                                  • Instruction ID: 3a2c64006d849a10f723b2ec090958daf1c339368e0f857e9209df541a772929
                                                                                                                                                  • Opcode Fuzzy Hash: d4d294fcb97585bfb49fc5a14d393a70a69c8c9af25e7b0388cbb9dd3ea48b8f
                                                                                                                                                  • Instruction Fuzzy Hash: 7C410271D00218CFDF24CFAAC844B8EBBF5BF48308F648059D419AB250DB75694ACF91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 010AC938 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 129 10ac938-10ac9d4 DuplicateHandle 130 10ac9dd-10ac9fa 129->130 131 10ac9d6-10ac9dc 129->131 131->130
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010AC9C7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273368063.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_10a0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: 3ea062bf9868392e590efdffb9f333063ca63238d619c09e66c3d2da8aba3042
                                                                                                                                                  • Instruction ID: ded664d8d515d2751adaba75953b930212115fc97439fb99c3ff8a63ac1e6544
                                                                                                                                                  • Opcode Fuzzy Hash: 3ea062bf9868392e590efdffb9f333063ca63238d619c09e66c3d2da8aba3042
                                                                                                                                                  • Instruction Fuzzy Hash: AC21E3B59012089FDB10CFAAD584ADEBFF4FB48324F14845AE954B7250D374A945CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 010AC940 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 134 10ac940-10ac9d4 DuplicateHandle 135 10ac9dd-10ac9fa 134->135 136 10ac9d6-10ac9dc 134->136 136->135
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010AC9C7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273368063.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_10a0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: 6b47462687930ba0370d328f71afff0ca6764a7cc0ea91ce76942c13c81d75ce
                                                                                                                                                  • Instruction ID: e5a63dedaa1745ff7a83bf48ee9aa639166b413ce7dad9d0a15997f0e9d04d14
                                                                                                                                                  • Opcode Fuzzy Hash: 6b47462687930ba0370d328f71afff0ca6764a7cc0ea91ce76942c13c81d75ce
                                                                                                                                                  • Instruction Fuzzy Hash: F621E2B59002089FDB10CFAAD984AEEBFF8EB48320F14841AE954B7350D374A944CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 010AA488 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 139 10aa488-10aa4d0 140 10aa4d8-10aa507 LoadLibraryExW 139->140 141 10aa4d2-10aa4d5 139->141 142 10aa509-10aa50f 140->142 143 10aa510-10aa52d 140->143 141->140 142->143
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010AA2E9,00000800,00000000,00000000), ref: 010AA4FA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273368063.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_10a0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: abb9914b93e866033c246bb8fd1630dd70d488a6ae0a14fed16fb60e3c160bd2
                                                                                                                                                  • Instruction ID: 96c7d29a2c99b7caf2b370fe90160cefb217a01df7b56da54d290f7fa861acff
                                                                                                                                                  • Opcode Fuzzy Hash: abb9914b93e866033c246bb8fd1630dd70d488a6ae0a14fed16fb60e3c160bd2
                                                                                                                                                  • Instruction Fuzzy Hash: F81114B69003089FDB10CFAAC444AEEFBF4EB88324F14846AE455B7250D775A546CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 010A93D8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 146 10a93d8-10aa4d0 148 10aa4d8-10aa507 LoadLibraryExW 146->148 149 10aa4d2-10aa4d5 146->149 150 10aa509-10aa50f 148->150 151 10aa510-10aa52d 148->151 149->148 150->151
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010AA2E9,00000800,00000000,00000000), ref: 010AA4FA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273368063.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_10a0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: c08923a6adef12377fe14f36068865853f1f5f94b1e0e7e6c8435906c9163193
                                                                                                                                                  • Instruction ID: 27fa634498bf2c1970574b9b5ac8f5dc749a9a87dbece97957b5a118d3a05449
                                                                                                                                                  • Opcode Fuzzy Hash: c08923a6adef12377fe14f36068865853f1f5f94b1e0e7e6c8435906c9163193
                                                                                                                                                  • Instruction Fuzzy Hash: AE1103B29002089FDB10CFAAC448AAEFBF4AB88324F54846AE555B7240C775A945CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 010AA208 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 154 10aa208-10aa248 155 10aa24a-10aa24d 154->155 156 10aa250-10aa27b GetModuleHandleW 154->156 155->156 157 10aa27d-10aa283 156->157 158 10aa284-10aa298 156->158 157->158
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 010AA26E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273368063.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_10a0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: 2d928c7af89dd7c2df2b489a6bbe5062fa9bfb111f7b85079fa5f0455f0d74a2
                                                                                                                                                  • Instruction ID: 34bd3b56b698081dfe1178899a3b92a1d89c86583286c53e865e0b53ebd7d8f1
                                                                                                                                                  • Opcode Fuzzy Hash: 2d928c7af89dd7c2df2b489a6bbe5062fa9bfb111f7b85079fa5f0455f0d74a2
                                                                                                                                                  • Instruction Fuzzy Hash: 5C1110B2D00249CFDB10CFAAC444ADEFBF4AB88324F14845AD869B7250D379A545CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00EBD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273104159.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_ebd000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 52b8566d67f9b59e8efb8c5e4f1377727f97b563e537bd5f556f9dbb020b19cb
                                                                                                                                                  • Instruction ID: 3e1fc81895aef63af0da5aa64ff0a34b1fe51391ed01ef83809757b0bfe8e826
                                                                                                                                                  • Opcode Fuzzy Hash: 52b8566d67f9b59e8efb8c5e4f1377727f97b563e537bd5f556f9dbb020b19cb
                                                                                                                                                  • Instruction Fuzzy Hash: 5F213772508240DFDB21DF14DDC0BA7BF65FB88328F24C569E8452B246D336D856CBA2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00ECD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273152208.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_ecd000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d3041b0e817aae2423e923c6e0b23a510b3811c8f10c2d153fe56808d3c0c252
                                                                                                                                                  • Instruction ID: 8fc06f5318f2c3a423dcf69b694b88ae8aaac08363c32f592afd60f6b422c9b2
                                                                                                                                                  • Opcode Fuzzy Hash: d3041b0e817aae2423e923c6e0b23a510b3811c8f10c2d153fe56808d3c0c252
                                                                                                                                                  • Instruction Fuzzy Hash: 6421C1716082409FDB15DF28DAC5F26BB66EB84318F24C5BDE84A5B246C337D847CA61
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00ECD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273152208.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_ecd000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d869900493fc58ea316af4e6a9ac0b09b7b2072839f819df71ea60b28111b7cb
                                                                                                                                                  • Instruction ID: 9d962786f1ee7d8bf6aea18ba108ce739f1cf03d8439535a9b4bbeff37e1d871
                                                                                                                                                  • Opcode Fuzzy Hash: d869900493fc58ea316af4e6a9ac0b09b7b2072839f819df71ea60b28111b7cb
                                                                                                                                                  • Instruction Fuzzy Hash: 2A21C1716082409FDB09DF64DAC0F26BB65FB84318F24C5BDE8495B255C337D857CA61
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00ECD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273152208.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_ecd000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ba778c3362d400a2feda5cee338133ac4b7f170eb4336e2fb1811378c6182cc2
                                                                                                                                                  • Instruction ID: d7a1b94757d60534fbb8b5cf6a519c6b893698f26e16d725a90b1cf77e95a871
                                                                                                                                                  • Opcode Fuzzy Hash: ba778c3362d400a2feda5cee338133ac4b7f170eb4336e2fb1811378c6182cc2
                                                                                                                                                  • Instruction Fuzzy Hash: E1217F755093808FDB12CF24D994B15BF71EB46214F28C5EED8898B697C33B980BCB62
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00EBD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273104159.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_ebd000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f11c0ec260945676c560dd4e69ce8059961bef1f565240baec4612520ab4a839
                                                                                                                                                  • Instruction ID: 3734c6cbd28dd192c77a1c59df478c25dcaf769ae9cab8887eea5f2af7d02893
                                                                                                                                                  • Opcode Fuzzy Hash: f11c0ec260945676c560dd4e69ce8059961bef1f565240baec4612520ab4a839
                                                                                                                                                  • Instruction Fuzzy Hash: A911E676504280CFCB12CF14D9C4B56FF71FB88328F24C6A9D8455B616C33AD85ACBA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00ECD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273152208.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_ecd000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a83792440f48484744767575037aa23603e1ac30f97161f2de9761c246bf89fe
                                                                                                                                                  • Instruction ID: f7cf48390760e716e208172d0dcc6345c3b5ba605a440ad517c0ebcca1648a40
                                                                                                                                                  • Opcode Fuzzy Hash: a83792440f48484744767575037aa23603e1ac30f97161f2de9761c246bf89fe
                                                                                                                                                  • Instruction Fuzzy Hash: 3611BE76508280DFCB16CF50CAC4B15FB61FB84328F24C6ADD8495B666C33BD85ACB51
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00EBD745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273104159.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_ebd000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 362e488ee092f86644513777b80b1a122948dff498114aa31b52ac19628aeddf
                                                                                                                                                  • Instruction ID: ead614e4ef05497fcc18f647beba932cb404865e24bcf6710850d629983c4719
                                                                                                                                                  • Opcode Fuzzy Hash: 362e488ee092f86644513777b80b1a122948dff498114aa31b52ac19628aeddf
                                                                                                                                                  • Instruction Fuzzy Hash: 7201F7711083909AE7108A2ACD84BE7BFD8EF41338F18D55BFD046B286EA799844C6B1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00EBD744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273104159.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_ebd000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 59e3ba9495e180cd4204c6078a092fd77456600539d92e0c3aeb5a95d967b0a0
                                                                                                                                                  • Instruction ID: 45dea5195aedf942519a95798ec6c985357397cdaa70f541a5a8b410641c50e6
                                                                                                                                                  • Opcode Fuzzy Hash: 59e3ba9495e180cd4204c6078a092fd77456600539d92e0c3aeb5a95d967b0a0
                                                                                                                                                  • Instruction Fuzzy Hash: A6F068714042549AE7108E15CC88BE3FFD8EB51734F18C55AED045B286D7755C44CAB1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 010AF1F8 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273368063.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_10a0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4dd8d02d476c3aa854b43cc0f801069cb2f4cc0c25ae5cf8af3d905e75750f16
                                                                                                                                                  • Instruction ID: a1851b56876dc2ab2cd7d3ec8b5f6d3801cb847187a7fbe04cf0e5574b88f465
                                                                                                                                                  • Opcode Fuzzy Hash: 4dd8d02d476c3aa854b43cc0f801069cb2f4cc0c25ae5cf8af3d905e75750f16
                                                                                                                                                  • Instruction Fuzzy Hash: 5512B5F96117468ED334CF6AEC981893BA1F755328F904308D2E52BAD9D7BE214ACF44
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 010AC844 Relevance: .3, Instructions: 265COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273368063.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_10a0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4806d8b52b3c72973cc63e2558d26494f5c10602ecec5b1c785689f5b1ddae7c
                                                                                                                                                  • Instruction ID: 751a2fe21fca2ad13c1bd5a6f526007881aeeaa0720c0a6919d79e894d1072b6
                                                                                                                                                  • Opcode Fuzzy Hash: 4806d8b52b3c72973cc63e2558d26494f5c10602ecec5b1c785689f5b1ddae7c
                                                                                                                                                  • Instruction Fuzzy Hash: 87A17032E0061ACFCF05DFA5C9445DEBBF2FF89300B5585AAE945AB261EB35A905CF40
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 010AF1E8 Relevance: .2, Instructions: 223COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.273368063.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_10a0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f9030338e70cca6105fee604f2558bd31e586043a6d997b1e3b2f1793508cde8
                                                                                                                                                  • Instruction ID: 51f9ba8c93290cc9dc82d664fb0fbf7b58dcd69d321d4a05252e7887571f10a6
                                                                                                                                                  • Opcode Fuzzy Hash: f9030338e70cca6105fee604f2558bd31e586043a6d997b1e3b2f1793508cde8
                                                                                                                                                  • Instruction Fuzzy Hash: D1C129B9A117468FD320DF6AEC981897B71FB85328F504308D1A16B6D8D7BE304ACF94
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:11.8%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:0.7%
                                                                                                                                                  Total number of Nodes:406
                                                                                                                                                  Total number of Limit Nodes:48
                                                                                                                                                  execution_graph 48407 1790448 48408 179044d 48407->48408 48409 179048f 48408->48409 48414 6d80bd8 48408->48414 48418 6d80be8 48408->48418 48422 1790b9f 48408->48422 48431 1790bb0 48408->48431 48415 6d80bf7 48414->48415 48439 6d80314 48415->48439 48419 6d80bf7 48418->48419 48420 6d80314 6 API calls 48419->48420 48421 6d80c17 48420->48421 48421->48408 48423 1790ba3 48422->48423 48424 1790b24 48422->48424 48425 1790e4e 48423->48425 48494 6f40007 48423->48494 48498 6f40040 48423->48498 48502 1791010 48423->48502 48508 1791000 48423->48508 48514 1791130 48423->48514 48424->48408 48425->48408 48432 1790bd0 48431->48432 48433 1790e4e 48432->48433 48434 1791130 KiUserCallbackDispatcher 48432->48434 48435 1791010 KiUserCallbackDispatcher 48432->48435 48436 1791000 KiUserCallbackDispatcher 48432->48436 48437 6f40007 KiUserCallbackDispatcher 48432->48437 48438 6f40040 KiUserCallbackDispatcher 48432->48438 48433->48408 48434->48432 48435->48432 48436->48432 48437->48432 48438->48432 48440 6d8031f 48439->48440 48443 6d803bc 48440->48443 48442 6d80cee 48445 6d803c7 48443->48445 48444 6d813f5 48446 6d81450 48444->48446 48461 6d8f207 48444->48461 48466 6d8f218 48444->48466 48445->48444 48445->48446 48451 6d82b07 48445->48451 48456 6d82b18 48445->48456 48446->48442 48452 6d82b1a 48451->48452 48453 6d82b5d 48452->48453 48471 6d82cc8 48452->48471 48475 6d82cb9 48452->48475 48453->48444 48457 6d82b39 48456->48457 48458 6d82b5d 48457->48458 48459 6d82cc8 3 API calls 48457->48459 48460 6d82cb9 3 API calls 48457->48460 48458->48444 48459->48458 48460->48458 48463 6d8f218 48461->48463 48462 6d8f2ca 48462->48446 48463->48462 48464 6d8e1a8 PeekMessageW 48463->48464 48465 6d8f6e0 WaitMessage 48463->48465 48464->48463 48465->48463 48469 6d8f27d 48466->48469 48467 6d8e1a8 PeekMessageW 48467->48469 48468 6d8f6e0 WaitMessage 48468->48469 48469->48467 48469->48468 48470 6d8f2ca 48469->48470 48470->48446 48473 6d82cd5 48471->48473 48472 6d82d0e 48472->48453 48473->48472 48479 6d82008 48473->48479 48476 6d82cca 48475->48476 48477 6d82d0e 48476->48477 48478 6d82008 3 API calls 48476->48478 48477->48453 48478->48477 48480 6d82013 48479->48480 48482 6d82d80 48480->48482 48483 6d8203c 48480->48483 48482->48482 48484 6d82047 48483->48484 48490 6d8204c 48484->48490 48486 6d82def 48488 6d87378 3 API calls 48486->48488 48489 6d87360 3 API calls 48486->48489 48487 6d82e28 48487->48482 48488->48487 48489->48487 48491 6d82057 48490->48491 48492 6d83124 48491->48492 48493 6d82b18 3 API calls 48491->48493 48492->48486 48493->48492 48495 6f40014 48494->48495 48496 6f40107 48495->48496 48497 6f48818 KiUserCallbackDispatcher 48495->48497 48496->48423 48497->48496 48499 6f40052 48498->48499 48500 6f40107 48499->48500 48501 6f48818 KiUserCallbackDispatcher 48499->48501 48500->48423 48501->48500 48505 1791017 48502->48505 48503 1791126 48503->48423 48504 1790bb0 KiUserCallbackDispatcher 48504->48505 48505->48503 48505->48504 48506 1791130 KiUserCallbackDispatcher 48505->48506 48536 179f8c1 48505->48536 48506->48505 48511 1791017 48508->48511 48509 1791126 48509->48423 48510 1790bb0 KiUserCallbackDispatcher 48510->48511 48511->48509 48511->48510 48512 1791130 KiUserCallbackDispatcher 48511->48512 48513 179f8c1 KiUserCallbackDispatcher 48511->48513 48512->48511 48513->48511 48515 1791137 48514->48515 48518 1791017 48514->48518 48517 1791174 48515->48517 48543 1791750 48515->48543 48549 1791740 48515->48549 48516 1791126 48516->48423 48519 179117c 48517->48519 48555 179dc38 48517->48555 48561 179dc28 48517->48561 48518->48516 48521 1790bb0 KiUserCallbackDispatcher 48518->48521 48528 179f8c1 KiUserCallbackDispatcher 48518->48528 48531 1791130 KiUserCallbackDispatcher 48518->48531 48520 1791184 48519->48520 48567 179dd90 48519->48567 48573 179dda0 48519->48573 48522 1790bb0 KiUserCallbackDispatcher 48520->48522 48521->48518 48523 17911a4 48522->48523 48524 17911d0 48523->48524 48525 1790bb0 KiUserCallbackDispatcher 48523->48525 48524->48423 48526 17911c4 48525->48526 48527 1790bb0 KiUserCallbackDispatcher 48526->48527 48527->48524 48528->48518 48531->48518 48538 179f8e8 48536->48538 48537 179f92c 48537->48505 48538->48537 48539 1790bb0 KiUserCallbackDispatcher 48538->48539 48540 179f9fa 48539->48540 48541 1790bb0 KiUserCallbackDispatcher 48540->48541 48542 179fa5e 48541->48542 48544 1791766 48543->48544 48545 1790bb0 KiUserCallbackDispatcher 48544->48545 48548 179178a 48545->48548 48546 1790bb0 KiUserCallbackDispatcher 48546->48548 48547 179181c 48547->48547 48548->48546 48548->48547 48550 1791766 48549->48550 48551 1790bb0 KiUserCallbackDispatcher 48550->48551 48554 179178a 48551->48554 48552 1790bb0 KiUserCallbackDispatcher 48552->48554 48553 179181c 48553->48553 48554->48552 48554->48553 48556 179dc4e 48555->48556 48557 1790bb0 KiUserCallbackDispatcher 48556->48557 48560 179dc7b 48557->48560 48558 179dcfc 48558->48558 48559 1790bb0 KiUserCallbackDispatcher 48559->48560 48560->48558 48560->48559 48562 179dc4e 48561->48562 48563 1790bb0 KiUserCallbackDispatcher 48562->48563 48564 179dc7b 48563->48564 48565 179dcfc 48564->48565 48566 1790bb0 KiUserCallbackDispatcher 48564->48566 48566->48564 48568 179ddb6 48567->48568 48569 1790bb0 KiUserCallbackDispatcher 48568->48569 48570 179ddda 48569->48570 48571 179debe 48570->48571 48572 1790bb0 KiUserCallbackDispatcher 48570->48572 48571->48571 48572->48570 48574 179ddb6 48573->48574 48575 1790bb0 KiUserCallbackDispatcher 48574->48575 48578 179ddda 48575->48578 48576 179debe 48576->48576 48577 1790bb0 KiUserCallbackDispatcher 48577->48578 48578->48576 48578->48577 48086 6f49630 48087 6f4963b 48086->48087 48089 6f4964b 48087->48089 48090 6f466b4 48087->48090 48091 6f49680 OleInitialize 48090->48091 48092 6f496e3 48091->48092 48092->48089 48357 6f466d0 GetCurrentProcess 48358 6f46743 48357->48358 48359 6f4674a GetCurrentThread 48357->48359 48358->48359 48360 6f46787 GetCurrentProcess 48359->48360 48361 6f46780 48359->48361 48362 6f467bd 48360->48362 48361->48360 48363 6f467e5 GetCurrentThreadId 48362->48363 48364 6f46816 48363->48364 48365 6f44890 48366 6f448f8 CreateWindowExW 48365->48366 48368 6f449b4 48366->48368 48369 1795ad0 48370 1795aee 48369->48370 48373 1795a64 48370->48373 48372 1795b25 48374 17975f0 LoadLibraryA 48373->48374 48376 17976e9 48374->48376 48377 179f6d0 48380 179f731 GetUserNameW 48377->48380 48379 179f81d 48380->48379 48093 6f468f8 DuplicateHandle 48094 6f4698e 48093->48094 48095 6f418e8 48096 6f418ed 48095->48096 48097 6f4190b 48096->48097 48100 6f41aa7 48096->48100 48105 6f41bd0 48096->48105 48101 6f41ace 48100->48101 48102 6f41b7f 48101->48102 48111 6f424d0 48101->48111 48116 6f424c0 48101->48116 48102->48096 48106 6f41bda 48105->48106 48107 6f41bfa 48106->48107 48228 6dbce88 48106->48228 48237 6dbcbf8 48106->48237 48241 6dbcc08 48106->48241 48107->48096 48112 6f424e8 48111->48112 48113 6f42dd6 48112->48113 48121 6f47d92 48112->48121 48126 6f47e43 48112->48126 48113->48101 48117 6f424d0 48116->48117 48118 6f42dd6 48117->48118 48119 6f47d92 6 API calls 48117->48119 48120 6f47e43 6 API calls 48117->48120 48118->48101 48119->48117 48120->48117 48123 6f47dbd 48121->48123 48122 6f47e59 48123->48122 48131 6f47e94 48123->48131 48137 6f482a8 48123->48137 48127 6f47e18 48126->48127 48128 6f47e59 48127->48128 48129 6f47e94 6 API calls 48127->48129 48130 6f482a8 6 API calls 48127->48130 48129->48127 48130->48127 48133 6f47e9d 48131->48133 48132 6f4838b 48133->48132 48143 6f483b5 48133->48143 48151 6f48701 48133->48151 48159 6f484e0 48133->48159 48138 6f482c2 48137->48138 48139 6f4838b 48138->48139 48140 6f483b5 6 API calls 48138->48140 48141 6f484e0 6 API calls 48138->48141 48142 6f48701 6 API calls 48138->48142 48139->48139 48140->48138 48141->48138 48142->48138 48145 6f483e9 48143->48145 48144 6f48730 48144->48133 48145->48144 48167 6f48818 48145->48167 48171 6f48a28 48145->48171 48176 6f48a18 48145->48176 48181 6d87378 48145->48181 48186 6d87360 48145->48186 48153 6f483e9 48151->48153 48152 6f48730 48152->48133 48153->48152 48154 6d87378 3 API calls 48153->48154 48155 6d87360 3 API calls 48153->48155 48156 6f48a28 KiUserCallbackDispatcher 48153->48156 48157 6f48a18 KiUserCallbackDispatcher 48153->48157 48158 6f48818 KiUserCallbackDispatcher 48153->48158 48154->48153 48155->48153 48156->48153 48157->48153 48158->48153 48161 6f483e9 48159->48161 48160 6f48730 48160->48133 48161->48160 48162 6d87378 3 API calls 48161->48162 48163 6d87360 3 API calls 48161->48163 48164 6f48a28 KiUserCallbackDispatcher 48161->48164 48165 6f48a18 KiUserCallbackDispatcher 48161->48165 48166 6f48818 KiUserCallbackDispatcher 48161->48166 48162->48161 48163->48161 48164->48161 48165->48161 48166->48161 48170 6f48834 48167->48170 48169 6f488d2 48169->48145 48170->48169 48191 6f4656c 48170->48191 48172 6f48a45 48171->48172 48173 6f48bf9 KiUserCallbackDispatcher 48172->48173 48174 6f48ad5 48172->48174 48175 6f48c26 48173->48175 48174->48145 48175->48145 48177 6f48a28 48176->48177 48178 6f48ad5 48177->48178 48179 6f48bf9 KiUserCallbackDispatcher 48177->48179 48178->48145 48180 6f48c26 48179->48180 48180->48145 48183 6d87392 48181->48183 48182 6d8747a 48182->48145 48183->48182 48195 6d87900 48183->48195 48198 6d878f1 48183->48198 48188 6d87392 48186->48188 48187 6d8747a 48187->48145 48188->48187 48189 6d87900 3 API calls 48188->48189 48190 6d878f1 3 API calls 48188->48190 48189->48187 48190->48187 48192 6f48bb8 KiUserCallbackDispatcher 48191->48192 48194 6f48c26 48192->48194 48194->48170 48202 6d87930 48195->48202 48196 6d8790a 48196->48182 48199 6d87900 48198->48199 48201 6d87930 3 API calls 48199->48201 48200 6d8790a 48200->48182 48201->48200 48203 6d87953 48202->48203 48204 6d8793f 48202->48204 48205 6d8796b 48203->48205 48211 6d87930 3 API calls 48203->48211 48220 6d87b20 48203->48220 48212 6f412b0 48204->48212 48216 6f412a8 48204->48216 48205->48196 48206 6d87963 48206->48205 48224 6d86a08 48206->48224 48211->48206 48213 6f412f2 48212->48213 48214 6f412f8 GetModuleHandleW 48212->48214 48213->48214 48215 6f41325 48214->48215 48215->48203 48217 6f412b0 GetModuleHandleW 48216->48217 48219 6f41325 48217->48219 48219->48203 48222 6d87b34 48220->48222 48221 6d87b59 48221->48206 48222->48221 48223 6d86a08 LoadLibraryExW 48222->48223 48223->48221 48225 6d87b80 LoadLibraryExW 48224->48225 48227 6d87bf9 48225->48227 48227->48205 48231 6dbce92 48228->48231 48232 6dbcc1d 48228->48232 48229 6dbce68 48229->48107 48230 6dbd042 48230->48107 48231->48230 48245 6dbea50 48231->48245 48248 6dbea40 48231->48248 48232->48229 48234 6dbce88 GlobalMemoryStatusEx 48232->48234 48233 6dbcf9a 48233->48107 48234->48232 48238 6dbcb2b 48237->48238 48239 6dbcc02 48237->48239 48238->48107 48239->48238 48240 6dbce88 GlobalMemoryStatusEx 48239->48240 48240->48239 48243 6dbcc1d 48241->48243 48242 6dbce68 48242->48107 48243->48242 48244 6dbce88 GlobalMemoryStatusEx 48243->48244 48244->48243 48252 6dbea79 48245->48252 48246 6dbea5e 48246->48233 48249 6dbea50 48248->48249 48251 6dbea79 GlobalMemoryStatusEx 48249->48251 48250 6dbea5e 48250->48233 48251->48250 48253 6dbea95 48252->48253 48255 6dbeabd 48252->48255 48253->48246 48254 6dbeade 48254->48246 48255->48254 48256 6dbeba6 GlobalMemoryStatusEx 48255->48256 48257 6dbebd6 48256->48257 48257->48246 48258 6f4e328 48261 6f4e36c SetWindowsHookExA 48258->48261 48260 6f4e3b2 48261->48260 48381 6f41558 48382 6f4155d 48381->48382 48383 6f4157b 48382->48383 48387 6f41650 48382->48387 48391 6f4178b 48382->48391 48395 6f417c9 48382->48395 48389 6f41679 48387->48389 48388 6f418ca 48388->48382 48389->48388 48399 6f469c8 48389->48399 48392 6f41790 48391->48392 48394 6f469c8 DeleteFileW 48392->48394 48393 6f418ca 48393->48382 48394->48393 48397 6f417ce 48395->48397 48396 6f418ca 48396->48382 48398 6f469c8 DeleteFileW 48397->48398 48398->48396 48401 6f469d8 48399->48401 48400 6f46a10 48400->48388 48401->48400 48403 6f463a8 48401->48403 48404 6f46a30 DeleteFileW 48403->48404 48406 6f46aaf 48404->48406 48406->48400 48579 6f497c8 48580 6f49822 OleGetClipboard 48579->48580 48581 6f49862 48580->48581 48262 16ed030 48263 16ed048 48262->48263 48264 16ed0a2 48263->48264 48269 6f47670 48263->48269 48280 6f44a38 48263->48280 48284 6f44a48 48263->48284 48288 6f421ac 48263->48288 48271 6f47680 48269->48271 48270 6f476e1 48323 6f46494 48270->48323 48271->48270 48273 6f476d1 48271->48273 48299 6d8acdc 48273->48299 48305 6f47808 48273->48305 48309 6f477f8 48273->48309 48313 6d8ac01 48273->48313 48318 6d8ac10 48273->48318 48274 6f476df 48274->48274 48281 6f44a48 48280->48281 48282 6f421ac 5 API calls 48281->48282 48283 6f44a8f 48282->48283 48283->48264 48285 6f44a6e 48284->48285 48286 6f421ac 5 API calls 48285->48286 48287 6f44a8f 48286->48287 48287->48264 48289 6f421b7 48288->48289 48290 6f476e1 48289->48290 48292 6f476d1 48289->48292 48291 6f46494 5 API calls 48290->48291 48293 6f476df 48291->48293 48294 6d8acdc 5 API calls 48292->48294 48295 6d8ac10 5 API calls 48292->48295 48296 6d8ac01 5 API calls 48292->48296 48297 6f477f8 5 API calls 48292->48297 48298 6f47808 5 API calls 48292->48298 48293->48293 48294->48293 48295->48293 48296->48293 48297->48293 48298->48293 48300 6d8ac9a 48299->48300 48301 6d8acea 48299->48301 48330 6d8acb9 48300->48330 48337 6d8acc8 48300->48337 48302 6d8acb0 48302->48274 48307 6f47816 48305->48307 48306 6f46494 5 API calls 48306->48307 48307->48306 48308 6f478ee 48307->48308 48308->48274 48311 6f47808 48309->48311 48310 6f46494 5 API calls 48310->48311 48311->48310 48312 6f478ee 48311->48312 48312->48274 48315 6d8ac10 48313->48315 48314 6d8acb0 48314->48274 48316 6d8acc8 5 API calls 48315->48316 48317 6d8acb9 5 API calls 48315->48317 48316->48314 48317->48314 48320 6d8ac24 48318->48320 48319 6d8acb0 48319->48274 48321 6d8acc8 5 API calls 48320->48321 48322 6d8acb9 5 API calls 48320->48322 48321->48319 48322->48319 48324 6f4649f 48323->48324 48325 6f479f4 48324->48325 48326 6f4794a 48324->48326 48327 6f421ac 4 API calls 48325->48327 48328 6f479a2 CallWindowProcW 48326->48328 48329 6f47951 48326->48329 48327->48329 48328->48329 48329->48274 48331 6d8ad22 48330->48331 48332 6d8acc2 48330->48332 48333 6d8acd9 48332->48333 48342 6d8d030 48332->48342 48345 6d8b4eb 48332->48345 48351 6d8b4f8 48332->48351 48333->48302 48338 6d8b4f8 2 API calls 48337->48338 48339 6d8b4eb 2 API calls 48337->48339 48340 6d8d030 5 API calls 48337->48340 48341 6d8acd9 48337->48341 48338->48341 48339->48341 48340->48341 48341->48302 48344 6f46494 5 API calls 48342->48344 48343 6d8d04a 48343->48333 48344->48343 48346 6d8b4f8 48345->48346 48347 6d8be1e GetKeyState 48346->48347 48350 6d8b7b1 48346->48350 48348 6d8be4a GetKeyState 48347->48348 48348->48350 48350->48333 48352 6d8b544 48351->48352 48353 6d8be1e GetKeyState 48352->48353 48356 6d8b7b1 48352->48356 48354 6d8be4a GetKeyState 48353->48354 48354->48356 48356->48333

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 06D8F218 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 713 6d8f218-6d8f27b 714 6d8f2aa-6d8f2c8 713->714 715 6d8f27d-6d8f2a7 713->715 720 6d8f2ca-6d8f2cc 714->720 721 6d8f2d1-6d8f308 714->721 715->714 722 6d8f78a-6d8f79f 720->722 725 6d8f739 721->725 726 6d8f30e-6d8f322 721->726 729 6d8f73e-6d8f754 725->729 727 6d8f351-6d8f370 726->727 728 6d8f324-6d8f34e 726->728 735 6d8f388-6d8f38a 727->735 736 6d8f372-6d8f378 727->736 728->727 729->722 739 6d8f3a9-6d8f3b2 735->739 740 6d8f38c-6d8f3a4 735->740 737 6d8f37a 736->737 738 6d8f37c-6d8f37e 736->738 737->735 738->735 742 6d8f3ba-6d8f3c1 739->742 740->729 743 6d8f3cb-6d8f3d2 742->743 744 6d8f3c3-6d8f3c9 742->744 746 6d8f3dc 743->746 747 6d8f3d4-6d8f3da 743->747 745 6d8f3df-6d8f3f5 call 6d8e1a8 744->745 749 6d8f3fa-6d8f3fc 745->749 746->745 747->745 750 6d8f551-6d8f555 749->750 751 6d8f402-6d8f409 749->751 753 6d8f55b-6d8f55f 750->753 754 6d8f724-6d8f737 750->754 751->725 752 6d8f40f-6d8f44c 751->752 762 6d8f71a-6d8f71e 752->762 763 6d8f452-6d8f457 752->763 755 6d8f579-6d8f582 753->755 756 6d8f561-6d8f574 753->756 754->729 758 6d8f5b1-6d8f5b8 755->758 759 6d8f584-6d8f5ae 755->759 756->729 760 6d8f5be-6d8f5c5 758->760 761 6d8f657-6d8f66c 758->761 759->758 764 6d8f5f4-6d8f616 760->764 765 6d8f5c7-6d8f5f1 760->765 761->762 772 6d8f672-6d8f674 761->772 762->742 762->754 766 6d8f489-6d8f49e call 6d8e1cc 763->766 767 6d8f459-6d8f467 call 6d8e1b4 763->767 764->761 800 6d8f618-6d8f622 764->800 765->764 776 6d8f4a3-6d8f4a7 766->776 767->766 780 6d8f469-6d8f487 call 6d8e1c0 767->780 778 6d8f6c1-6d8f6de call 6d8e1a8 772->778 779 6d8f676-6d8f6af 772->779 781 6d8f518-6d8f525 776->781 782 6d8f4a9-6d8f4bb call 6d8e1d8 776->782 778->762 798 6d8f6e0-6d8f70c WaitMessage 778->798 795 6d8f6b8-6d8f6bf 779->795 796 6d8f6b1-6d8f6b7 779->796 780->776 781->762 799 6d8f52b-6d8f535 call 6d8e1e8 781->799 805 6d8f4fb-6d8f513 782->805 806 6d8f4bd-6d8f4ed 782->806 795->762 796->795 802 6d8f70e 798->802 803 6d8f713 798->803 809 6d8f544-6d8f54c call 6d8e200 799->809 810 6d8f537-6d8f53f call 6d8e1f4 799->810 814 6d8f63a-6d8f655 800->814 815 6d8f624-6d8f62a 800->815 802->803 803->762 805->729 821 6d8f4ef 806->821 822 6d8f4f4 806->822 809->762 810->762 814->761 814->800 819 6d8f62c 815->819 820 6d8f62e-6d8f630 815->820 819->814 820->814 821->822 822->805
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.551667007.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6d80000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9269027d2645d240061213d82de040be61acab0a2a3a19fe886a5a185890d329
                                                                                                                                                  • Instruction ID: f5477aaea66dd622237158d8c3052b2f0e938bf7caefa4a6c2607fa59c660546
                                                                                                                                                  • Opcode Fuzzy Hash: 9269027d2645d240061213d82de040be61acab0a2a3a19fe886a5a185890d329
                                                                                                                                                  • Instruction Fuzzy Hash: 21F13A30E002099FEB54EFA9C948B9DBBF1FF88344F148569E405AB2A5DB74E945CF81
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0179F6D0 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 915 179f6d0-179f72f 916 179f79a-179f79e 915->916 917 179f731-179f75c 915->917 918 179f7c9-179f7d4 916->918 919 179f7a0-179f7c3 916->919 924 179f78c 917->924 925 179f75e-179f760 917->925 921 179f7e0-179f81b GetUserNameW 918->921 922 179f7d6-179f7de 918->922 919->918 926 179f81d-179f823 921->926 927 179f824-179f83a 921->927 922->921 937 179f791-179f794 924->937 928 179f782-179f78a 925->928 929 179f762-179f76c 925->929 926->927 930 179f83c-179f848 927->930 931 179f850-179f877 927->931 928->937 934 179f76e 929->934 935 179f770-179f77e 929->935 930->931 938 179f879-179f87d 931->938 939 179f887 931->939 934->935 935->935 940 179f780 935->940 937->916 938->939 942 179f87f 938->942 943 179f888 939->943 940->928 942->939 943->943
                                                                                                                                                  APIs
                                                                                                                                                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0179F80B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.526709203.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1790000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: NameUser
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2645101109-0
                                                                                                                                                  • Opcode ID: 1c5be595fb472ed9407bcb5480b31fe825d3bb240e55003cf1665ae15b5b1bf5
                                                                                                                                                  • Instruction ID: f582fad81b901b395f290f8edac010c35ceef80f35a344c60ca3d9f441de8819
                                                                                                                                                  • Opcode Fuzzy Hash: 1c5be595fb472ed9407bcb5480b31fe825d3bb240e55003cf1665ae15b5b1bf5
                                                                                                                                                  • Instruction Fuzzy Hash: 75510474D002288FDF18CFA9D894B9DFBB1BF48314F14812AD819AB391D774A849CF95
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F466C0 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 06F46730
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 06F4676D
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 06F467AA
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 06F46803
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                  • Opcode ID: c7ac96856b382ecc4b05c593277e66c8a95283a4beac1e55b978966e473407c4
                                                                                                                                                  • Instruction ID: 58d1e2971f899be8c1b5699668b0b12ea4a666d7e9d9b4854736d8798cab82c9
                                                                                                                                                  • Opcode Fuzzy Hash: c7ac96856b382ecc4b05c593277e66c8a95283a4beac1e55b978966e473407c4
                                                                                                                                                  • Instruction Fuzzy Hash: C75154B4D006088FDB50DFAAD988B9EBFF0AF88314F248459E409B7290DB745984CF66
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F466D0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 06F46730
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 06F4676D
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 06F467AA
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 06F46803
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                  • Opcode ID: 3eec77552c08387ac4ec82be5c67772b4bbbbc8ec242beb2692c88e982b737a4
                                                                                                                                                  • Instruction ID: 67af03868c62c8e6290d4d8a43bd1c7c07f8af37c01c9a0e45d561a7ebc49110
                                                                                                                                                  • Opcode Fuzzy Hash: 3eec77552c08387ac4ec82be5c67772b4bbbbc8ec242beb2692c88e982b737a4
                                                                                                                                                  • Instruction Fuzzy Hash: 005143B4D006498FDB50DFAAD688B9EBFF0EF88314F248459E409B7290DB745984CF66
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06D8B4F8 Relevance: 3.5, APIs: 2, Instructions: 517COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.551667007.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6d80000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8f4da8a4413a1536a853c339e10ef400c15264dcccf19db45b7372e84160d235
                                                                                                                                                  • Instruction ID: 3e1ce22c694c8b7d5015bcf5790dc8c4700c11e183822af7c4fb7c9b65853e39
                                                                                                                                                  • Opcode Fuzzy Hash: 8f4da8a4413a1536a853c339e10ef400c15264dcccf19db45b7372e84160d235
                                                                                                                                                  • Instruction Fuzzy Hash: B0220874E00209CFDB94EF58C59DABEB7B2FB85310F248157D951AB364CA35A881CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F48A28 Relevance: 1.7, APIs: 1, Instructions: 183COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 825 6f48a28-6f48a8b 831 6f48a91-6f48ad3 call 6f48c48 825->831 832 6f48b93-6f48b9a 825->832 839 6f48ad5-6f48adc 831->839 840 6f48add-6f48ae4 831->840 841 6f48aea-6f48aee 840->841 842 6f48b9b-6f48c24 KiUserCallbackDispatcher 840->842 843 6f48af0-6f48af7 841->843 844 6f48af8-6f48b77 841->844 850 6f48c26-6f48c2c 842->850 851 6f48c2d-6f48c41 842->851 854 6f48b87-6f48b8d call 6f4ade0 844->854 855 6f48b79-6f48b80 844->855 850->851 854->832 855->854
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9d4ba3dbf11a203ee5943cc76aecf7f291f2f78af43c51e6daee72b67e8f92c9
                                                                                                                                                  • Instruction ID: 56961b9e4c241c7d25c31c79d3b6d56af3ce93a7b5379134b24bb4dc53d3e8a6
                                                                                                                                                  • Opcode Fuzzy Hash: 9d4ba3dbf11a203ee5943cc76aecf7f291f2f78af43c51e6daee72b67e8f92c9
                                                                                                                                                  • Instruction Fuzzy Hash: 8F616871A002098FCB44DFA9D880A9EFBF5FF88314F14856AE918AB395D7719845CBA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06DBEA79 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 858 6dbea79-6dbea93 859 6dbeabd-6dbeadc call 6dbd6cc 858->859 860 6dbea95-6dbeabc call 6dbc444 858->860 866 6dbeade-6dbeae1 859->866 867 6dbeae2-6dbeb41 859->867 874 6dbeb43-6dbeb46 867->874 875 6dbeb47-6dbeb5c 867->875 877 6dbeb68-6dbebd4 GlobalMemoryStatusEx 875->877 878 6dbeb5e-6dbeb66 875->878 881 6dbebdd-6dbec05 877->881 882 6dbebd6-6dbebdc 877->882 878->877 882->881
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552051996.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6db0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 988611227b12b754841784d931c920ddfcc36713396c839bf3d12b251d7a4d77
                                                                                                                                                  • Instruction ID: 1ef02946228f529c3fcc2421c26ddb174098a310f8f3d52eb0a1e50b3116d216
                                                                                                                                                  • Opcode Fuzzy Hash: 988611227b12b754841784d931c920ddfcc36713396c839bf3d12b251d7a4d77
                                                                                                                                                  • Instruction Fuzzy Hash: 6E41F372D1439A8FC700CFB9C8106DABFF5AF8A310F18866AD445A7291DB749845CBA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0179F6C5 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 885 179f6c5-179f72f 887 179f79a-179f79e 885->887 888 179f731-179f75c 885->888 889 179f7c9-179f7d4 887->889 890 179f7a0-179f7c3 887->890 895 179f78c 888->895 896 179f75e-179f760 888->896 892 179f7e0-179f81b GetUserNameW 889->892 893 179f7d6-179f7de 889->893 890->889 897 179f81d-179f823 892->897 898 179f824-179f83a 892->898 893->892 908 179f791-179f794 895->908 899 179f782-179f78a 896->899 900 179f762-179f76c 896->900 897->898 901 179f83c-179f848 898->901 902 179f850-179f877 898->902 899->908 905 179f76e 900->905 906 179f770-179f77e 900->906 901->902 909 179f879-179f87d 902->909 910 179f887 902->910 905->906 906->906 911 179f780 906->911 908->887 909->910 913 179f87f 909->913 914 179f888 910->914 911->899 913->910 914->914
                                                                                                                                                  APIs
                                                                                                                                                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0179F80B
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.526709203.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1790000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: NameUser
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2645101109-0
                                                                                                                                                  • Opcode ID: 14dc7e9771bff878c68f5879629a489c9d75cc0c41b4525cfd47fc2a23d7fcc8
                                                                                                                                                  • Instruction ID: b5aa1f9f3f73f8ceb6256a3fb163bab325e85fbea228935ed4643b4d2b668bbd
                                                                                                                                                  • Opcode Fuzzy Hash: 14dc7e9771bff878c68f5879629a489c9d75cc0c41b4525cfd47fc2a23d7fcc8
                                                                                                                                                  • Instruction Fuzzy Hash: 5A510574D002288FDF18CFA9D894B9DFBB1BF48314F54812AD815AB391D774A849CF95
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F44890 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1054 6f44890-6f448f6 1055 6f44901-6f44908 1054->1055 1056 6f448f8-6f448fe 1054->1056 1057 6f44913-6f449b2 CreateWindowExW 1055->1057 1058 6f4490a-6f44910 1055->1058 1056->1055 1060 6f449b4-6f449ba 1057->1060 1061 6f449bb-6f449f3 1057->1061 1058->1057 1060->1061 1065 6f449f5-6f449f8 1061->1065 1066 6f44a00 1061->1066 1065->1066
                                                                                                                                                  APIs
                                                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06F449A2
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 716092398-0
                                                                                                                                                  • Opcode ID: 0307aa76a374a284c0f9ae261e4dc2f472cd03fd3f589f0d6fd8430e4953ca8c
                                                                                                                                                  • Instruction ID: 0a62ce0fa39c9776eed5a827dfc78c76573e8abb0a7f7d2aeb98549b04f51dd6
                                                                                                                                                  • Opcode Fuzzy Hash: 0307aa76a374a284c0f9ae261e4dc2f472cd03fd3f589f0d6fd8430e4953ca8c
                                                                                                                                                  • Instruction Fuzzy Hash: 8D41DEB1D002099FDB14CF9AC984ADEBFF5FF48314F24812AE818AB254D7759945CF91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F46494 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1107 6f46494-6f47944 1110 6f479f4-6f47a14 call 6f421ac 1107->1110 1111 6f4794a-6f4794f 1107->1111 1119 6f47a17-6f47a24 1110->1119 1113 6f47951-6f47988 1111->1113 1114 6f479a2-6f479da CallWindowProcW 1111->1114 1120 6f47991-6f479a0 1113->1120 1121 6f4798a-6f47990 1113->1121 1115 6f479e3-6f479f2 1114->1115 1116 6f479dc-6f479e2 1114->1116 1115->1119 1116->1115 1120->1119 1121->1120
                                                                                                                                                  APIs
                                                                                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 06F479C9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CallProcWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2714655100-0
                                                                                                                                                  • Opcode ID: d9d6acb1011934db90bb68b36d3158787d4807b06202b99722bc1935ce8aab2a
                                                                                                                                                  • Instruction ID: ee8d1dfcc6765e34ff158164529e7b7da3d7700a7856f4c93373f4d3d875db1e
                                                                                                                                                  • Opcode Fuzzy Hash: d9d6acb1011934db90bb68b36d3158787d4807b06202b99722bc1935ce8aab2a
                                                                                                                                                  • Instruction Fuzzy Hash: D8416AB5A003448FDB44EF99C888AAABFF5FF88314F248449D519A7721D335A840CFA0
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 017975E4 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1087 17975e4-1797647 1089 1797649-179766e 1087->1089 1090 179769b-17976e7 LoadLibraryA 1087->1090 1089->1090 1093 1797670-1797672 1089->1093 1094 17976e9-17976ef 1090->1094 1095 17976f0-1797721 1090->1095 1097 1797695-1797698 1093->1097 1098 1797674-179767e 1093->1098 1094->1095 1100 1797731 1095->1100 1101 1797723-1797727 1095->1101 1097->1090 1102 1797680 1098->1102 1103 1797682-1797691 1098->1103 1106 1797732 1100->1106 1101->1100 1104 1797729 1101->1104 1102->1103 1103->1103 1105 1797693 1103->1105 1104->1100 1105->1097 1106->1106
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryA.KERNELBASE(?), ref: 017976D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.526709203.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1790000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: 20ae5dfb5f1c1191c860275f05cf8e9bb79821df085d4c4049736f3c9d5d4eb8
                                                                                                                                                  • Instruction ID: 078317427565aa7fe1def2d813f8e802f7f9a2e1b6b8383d50e63b76dc7f3eec
                                                                                                                                                  • Opcode Fuzzy Hash: 20ae5dfb5f1c1191c860275f05cf8e9bb79821df085d4c4049736f3c9d5d4eb8
                                                                                                                                                  • Instruction Fuzzy Hash: 674135B0D106198FDB18CFADD88479EFBF1EB48314F148129E815AB284D774984ACF92
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 01795A64 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1067 1795a64-1797647 1069 1797649-179766e 1067->1069 1070 179769b-17976e7 LoadLibraryA 1067->1070 1069->1070 1073 1797670-1797672 1069->1073 1074 17976e9-17976ef 1070->1074 1075 17976f0-1797721 1070->1075 1077 1797695-1797698 1073->1077 1078 1797674-179767e 1073->1078 1074->1075 1080 1797731 1075->1080 1081 1797723-1797727 1075->1081 1077->1070 1082 1797680 1078->1082 1083 1797682-1797691 1078->1083 1086 1797732 1080->1086 1081->1080 1084 1797729 1081->1084 1082->1083 1083->1083 1085 1797693 1083->1085 1084->1080 1085->1077 1086->1086
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryA.KERNELBASE(?), ref: 017976D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.526709203.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_1790000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: f59b7f087fbf5854b4471da8978b2073f3ab99576992a74eb47435738dd4c7e6
                                                                                                                                                  • Instruction ID: 50c8d9a2a545befb455e3b135f55a36fd2349c49e741779e8998697c8210cc1d
                                                                                                                                                  • Opcode Fuzzy Hash: f59b7f087fbf5854b4471da8978b2073f3ab99576992a74eb47435738dd4c7e6
                                                                                                                                                  • Instruction Fuzzy Hash: 034116B0D106598FDB18CFADD88479EFBF1FB48714F148129E815AB284D774984ACF92
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F497BC Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1745 6f497bc-6f49818 1747 6f49822-6f49860 OleGetClipboard 1745->1747 1748 6f49862-6f49868 1747->1748 1749 6f49869-6f498b7 1747->1749 1748->1749 1754 6f498c7 1749->1754 1755 6f498b9-6f498bd 1749->1755 1757 6f498c8 1754->1757 1755->1754 1756 6f498bf 1755->1756 1756->1754 1757->1757
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Clipboard
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 220874293-0
                                                                                                                                                  • Opcode ID: 2e6014ff218d22442360ab58a6d2273cda3bfdcd93d470418eb00c7b158b5283
                                                                                                                                                  • Instruction ID: 5f89d88468a02fbec94ea3c9f40b979dd416ba9cc7b83ed73908d5f2b2fdd154
                                                                                                                                                  • Opcode Fuzzy Hash: 2e6014ff218d22442360ab58a6d2273cda3bfdcd93d470418eb00c7b158b5283
                                                                                                                                                  • Instruction Fuzzy Hash: 2931F2B0E01208DFDB54DF99C984BCEBBF5AF48314F248019E404BB694DBB46945CB55
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F497C8 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1758 6f497c8-6f49860 OleGetClipboard 1760 6f49862-6f49868 1758->1760 1761 6f49869-6f498b7 1758->1761 1760->1761 1766 6f498c7 1761->1766 1767 6f498b9-6f498bd 1761->1767 1769 6f498c8 1766->1769 1767->1766 1768 6f498bf 1767->1768 1768->1766 1769->1769
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Clipboard
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 220874293-0
                                                                                                                                                  • Opcode ID: 0210c6fb8b5dd6cb3e0b0a98eebad279bd2130818f1f94afd3e6378b33591f74
                                                                                                                                                  • Instruction ID: de9a3d9351fedaa1c353116db8e84d38f54632c1f82a28c64267cb0c6c153b11
                                                                                                                                                  • Opcode Fuzzy Hash: 0210c6fb8b5dd6cb3e0b0a98eebad279bd2130818f1f94afd3e6378b33591f74
                                                                                                                                                  • Instruction Fuzzy Hash: 4131E2B0E01208DFDB54DF99C984BCEBFF5AF48314F248019E404AB390DBB46945CB55
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F468F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1770 6f468f8-6f4698c DuplicateHandle 1771 6f46995-6f469b2 1770->1771 1772 6f4698e-6f46994 1770->1772 1772->1771
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06F4697F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: 1e725d177437f350db5d15b33fb13a05b936722d50f96b823144c853c3a5d5a8
                                                                                                                                                  • Instruction ID: 190d8c37fe4134f44da3ca180c9aa00c3d63ae343430d33179577f4b30c2cacd
                                                                                                                                                  • Opcode Fuzzy Hash: 1e725d177437f350db5d15b33fb13a05b936722d50f96b823144c853c3a5d5a8
                                                                                                                                                  • Instruction Fuzzy Hash: 3F21C2B5D002099FDB10CFAAD984ADEFFF8EB48324F14841AE914A7350D375A954CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F49620 Relevance: 1.6, APIs: 1, Instructions: 61comCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • OleInitialize.OLE32(00000000), ref: 06F496D5
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Initialize
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2538663250-0
                                                                                                                                                  • Opcode ID: 4712268adcc925c7e113a05f89cfcee7af4af98e32a01d4bd034886e2019d800
                                                                                                                                                  • Instruction ID: 2d1e2736506d8ab7d1a4c6a7fdf5812cec4b38f7c2b185d21bcf1cc8a8d2d8ca
                                                                                                                                                  • Opcode Fuzzy Hash: 4712268adcc925c7e113a05f89cfcee7af4af98e32a01d4bd034886e2019d800
                                                                                                                                                  • Instruction Fuzzy Hash: 97218871E003448FCB60DFA9D5497DBBFF4AB49328F14481ED40AA3A40C3B9A588CB92
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F4E320 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06F4E3A3
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HookWindows
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2559412058-0
                                                                                                                                                  • Opcode ID: 9cb9f742759ab7bffa31ac621a61a2d90dcc3a5d054cbd23098773932e1c9aa5
                                                                                                                                                  • Instruction ID: 7b19097f12c475e9eab699154f9cb664b068a5b0322d5720fd327917041f3e17
                                                                                                                                                  • Opcode Fuzzy Hash: 9cb9f742759ab7bffa31ac621a61a2d90dcc3a5d054cbd23098773932e1c9aa5
                                                                                                                                                  • Instruction Fuzzy Hash: 6B214875D002089FCB50DFAAD844BEEFFF4EB48320F148419E419A3250C7746944CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F463A8 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • DeleteFileW.KERNELBASE(00000000), ref: 06F46AA0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DeleteFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4033686569-0
                                                                                                                                                  • Opcode ID: 214cf07cc4fb24a90bf929b74d54334bd17e6c765161c0c6e486b8a54b6c2524
                                                                                                                                                  • Instruction ID: e26538bba05fec1abed6d74a6e59ad04b952226d95db999c899d1ed65ebf8175
                                                                                                                                                  • Opcode Fuzzy Hash: 214cf07cc4fb24a90bf929b74d54334bd17e6c765161c0c6e486b8a54b6c2524
                                                                                                                                                  • Instruction Fuzzy Hash: D82135B1D006298BCB50DF9AC5447AEFBB4EF48324F14812AD814A7640D774AA44CFE5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F46A29 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • DeleteFileW.KERNELBASE(00000000), ref: 06F46AA0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DeleteFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4033686569-0
                                                                                                                                                  • Opcode ID: 76715c787fe7f065a2fd36bba57726adbd68891543653686fe85dfb82807a81f
                                                                                                                                                  • Instruction ID: b6637a5113189c6f2de7dd070697b86f85c94608389771bf88b3560690b8598c
                                                                                                                                                  • Opcode Fuzzy Hash: 76715c787fe7f065a2fd36bba57726adbd68891543653686fe85dfb82807a81f
                                                                                                                                                  • Instruction Fuzzy Hash: C22147B1D006199BCB10CFAAD5447EEFBB4FF48724F04812AD818B7640D734AA44CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F4E328 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06F4E3A3
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HookWindows
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2559412058-0
                                                                                                                                                  • Opcode ID: 9e1a6d82c91c61fcb40970a19a2ba8d8ab8857680f9adf0ce0f3d1b782c30054
                                                                                                                                                  • Instruction ID: 4ae0d7f4a87e85bc05a976cd7253e5a3ca145cb95388c18160b250588cbf5ddd
                                                                                                                                                  • Opcode Fuzzy Hash: 9e1a6d82c91c61fcb40970a19a2ba8d8ab8857680f9adf0ce0f3d1b782c30054
                                                                                                                                                  • Instruction Fuzzy Hash: B72127B1D002099FCB54DFAAD844BEEFBF5FB88314F148429E419A7290CB74A945CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06D8F7D9 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,06D8F3FA,00000000,00000000,040D4188,0311FA20), ref: 06D8F848
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.551667007.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6d80000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePeek
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2222842502-0
                                                                                                                                                  • Opcode ID: 03901f51a3b7524e8e468b1d1ce53bab758a1c5dfba195376066ee0448782947
                                                                                                                                                  • Instruction ID: a655ed78077f1e154f7e6f6399f8a4e5a1ff487e28ecdbefea84b7e4bfa22058
                                                                                                                                                  • Opcode Fuzzy Hash: 03901f51a3b7524e8e468b1d1ce53bab758a1c5dfba195376066ee0448782947
                                                                                                                                                  • Instruction Fuzzy Hash: 7911F9B5C002099FDB10CF9AD944BDEFBF8EB48320F14842AE955B7640D374A545CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06D8E1A8 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,06D8F3FA,00000000,00000000,040D4188,0311FA20), ref: 06D8F848
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.551667007.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6d80000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePeek
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2222842502-0
                                                                                                                                                  • Opcode ID: e80727bfc9d31ce887c737e3103a242e3753a912ce07b37f3531a5a718297a72
                                                                                                                                                  • Instruction ID: 0f2cb0fa9ad9e4ef6bcc6901e59d59e70f5abfba751e506408075e446af23e11
                                                                                                                                                  • Opcode Fuzzy Hash: e80727bfc9d31ce887c737e3103a242e3753a912ce07b37f3531a5a718297a72
                                                                                                                                                  • Instruction Fuzzy Hash: B81137B1C002099FDB10DF9AD884BDEFBF8EB08360F14842AE955A7240D378A945CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06D86A08 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,06D87B59,00000800), ref: 06D87BEA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.551667007.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6d80000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: 136fc1e63be0b3da48346ea22bbfefb77c8749aa8e1a26cb618215a9e2f27c66
                                                                                                                                                  • Instruction ID: d8758eefc06cdc551a6f8ec22dbf9973f793da7e64ad79eb1898584a94b85e0c
                                                                                                                                                  • Opcode Fuzzy Hash: 136fc1e63be0b3da48346ea22bbfefb77c8749aa8e1a26cb618215a9e2f27c66
                                                                                                                                                  • Instruction Fuzzy Hash: 851114B6D002089FDB10DF9AD848BDEFBF4EB48320F14842AE815A7600C375A945CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06D87B7D Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,06D87B59,00000800), ref: 06D87BEA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.551667007.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6d80000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: 4b708e6c293e95ae6691f9045f965bbeabcbe6ee06b4dec8658284d3ddac2678
                                                                                                                                                  • Instruction ID: dfd2cc4ccd8f24e0aed6ac06471af01109887a3ee4e9c6b399bb2202f20690c5
                                                                                                                                                  • Opcode Fuzzy Hash: 4b708e6c293e95ae6691f9045f965bbeabcbe6ee06b4dec8658284d3ddac2678
                                                                                                                                                  • Instruction Fuzzy Hash: 7811F6B6D002099FDB10DF9AD888ADEFBF4EB48324F24841ED915A7240C775A545CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06DBEB60 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 06DBEBC7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552051996.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6db0000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: GlobalMemoryStatus
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1890195054-0
                                                                                                                                                  • Opcode ID: 3a3f1713456441a3e30218ec86d1a6ba5adbe504c37e69a96f515172a1a16f5c
                                                                                                                                                  • Instruction ID: 3ed0f7726f747bbfe6a58a0092fa25fdc49f560cda024946d3d884cbdbe09377
                                                                                                                                                  • Opcode Fuzzy Hash: 3a3f1713456441a3e30218ec86d1a6ba5adbe504c37e69a96f515172a1a16f5c
                                                                                                                                                  • Instruction Fuzzy Hash: DE11E2B1C006199BCB10CFAAD544BDEFBF4AF48324F14856AD818B7240D778A945CFA6
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F412A8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 06F41316
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: 7901329bd00fa57771b7a18c1dde760551d6801a1780d112d0709d03c5ec09ce
                                                                                                                                                  • Instruction ID: 2aa36ae5ae49a606ccbf2520427bb3c8c12b3c9f40e6cbaf7e7f9c19b5b4d551
                                                                                                                                                  • Opcode Fuzzy Hash: 7901329bd00fa57771b7a18c1dde760551d6801a1780d112d0709d03c5ec09ce
                                                                                                                                                  • Instruction Fuzzy Hash: 491123B6C002498FCB10DF9AC444BEEFBF4EB48320F14855AD829B7600D374A545CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F49678 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • OleInitialize.OLE32(00000000), ref: 06F496D5
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Initialize
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2538663250-0
                                                                                                                                                  • Opcode ID: 6c4eaf5c1b13d92db4e065558ee82babe56f14d13698b44fcdc2e39186b26612
                                                                                                                                                  • Instruction ID: 3513276e306bc489ab2877d37a0c466354bdf7330831cc5a704c543559184bb9
                                                                                                                                                  • Opcode Fuzzy Hash: 6c4eaf5c1b13d92db4e065558ee82babe56f14d13698b44fcdc2e39186b26612
                                                                                                                                                  • Instruction Fuzzy Hash: 631136B1D006088FCB10DFAAD444BDEBFF8EB48324F24845AD418A7640D374A544CFA6
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F412B0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 06F41316
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: d2db5d115ae73c8dc74460e8aef5111a08ffdf4572fc4c7a740a04eb6c4ec263
                                                                                                                                                  • Instruction ID: 4219164dea45eca799dac92177f5e83f902c30bc96ce1d9e5d1158c91f85f2d5
                                                                                                                                                  • Opcode Fuzzy Hash: d2db5d115ae73c8dc74460e8aef5111a08ffdf4572fc4c7a740a04eb6c4ec263
                                                                                                                                                  • Instruction Fuzzy Hash: 051102B5D002498FCB10DF9AC444BDEFBF4EB48224F14841AD429B7600D374A545CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F466B4 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • OleInitialize.OLE32(00000000), ref: 06F496D5
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Initialize
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2538663250-0
                                                                                                                                                  • Opcode ID: 08e88f8e7e0bf972a97673a48133bddb7580371836606a8c34d439357b8f9252
                                                                                                                                                  • Instruction ID: 0f353f5eb60f07c1d39ebc12ca843ed13860ec31b370c7462dc5bbe3c73caf94
                                                                                                                                                  • Opcode Fuzzy Hash: 08e88f8e7e0bf972a97673a48133bddb7580371836606a8c34d439357b8f9252
                                                                                                                                                  • Instruction Fuzzy Hash: 7B1103B19006488FCB50DFAAD448BDEBFF8EB49324F148459D519A7640D3B4A944CFA6
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F4656C Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • KiUserCallbackDispatcher.NTDLL(?), ref: 06F48C17
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CallbackDispatcherUser
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2492992576-0
                                                                                                                                                  • Opcode ID: ae3980eab92f32ce27f05bca31406ee2bd7ec9f77763e6351dd8b3a94917e596
                                                                                                                                                  • Instruction ID: 677859a9ac7ae389292d15b359f2f7abf18ba252f3467bc381985ab587134f0d
                                                                                                                                                  • Opcode Fuzzy Hash: ae3980eab92f32ce27f05bca31406ee2bd7ec9f77763e6351dd8b3a94917e596
                                                                                                                                                  • Instruction Fuzzy Hash: F41133B1C002088FCB50DF9AD484BDEFFF4EB48324F14845AD529A7640C374A944CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 06F48BB0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • KiUserCallbackDispatcher.NTDLL(?), ref: 06F48C17
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.552908197.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_6f40000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CallbackDispatcherUser
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2492992576-0
                                                                                                                                                  • Opcode ID: ca03cf511753a58d83f64f938ba129c17e9340fcb968551f2fe324ee327cd1a5
                                                                                                                                                  • Instruction ID: f717e6be0850d7b3be608797ecc5baff4fa695b757e04e7cef718ffe23fa6876
                                                                                                                                                  • Opcode Fuzzy Hash: ca03cf511753a58d83f64f938ba129c17e9340fcb968551f2fe324ee327cd1a5
                                                                                                                                                  • Instruction Fuzzy Hash: 231103B1D002088FCB10DF9AD984BDEFFF4EB48324F14841AD529A7640C775A585CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 016ED006 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.526255179.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_16ed000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9f5a8323a9d552250b6474d6a7af48c15aa4f78fd6711867932599cb477d14d6
                                                                                                                                                  • Instruction ID: bfdd53caaff6be425d361b007bb1f192991b21dd9a06128dff3167b8fcab1dca
                                                                                                                                                  • Opcode Fuzzy Hash: 9f5a8323a9d552250b6474d6a7af48c15aa4f78fd6711867932599cb477d14d6
                                                                                                                                                  • Instruction Fuzzy Hash: D9215E751093C09FD7038F64D994711BFB1AB46214F29C5DBD8848F2A7C33A985ACB62
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 016ED030 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.526255179.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_16ed000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 480f4b1a45a988363403e0ee0b5a6faec593823c48086396293cf2e8a21d6690
                                                                                                                                                  • Instruction ID: 4ffa8d26e7f257b029bb4f19c3621a129535ad7824ce5f5cb0b06239e64d67cb
                                                                                                                                                  • Opcode Fuzzy Hash: 480f4b1a45a988363403e0ee0b5a6faec593823c48086396293cf2e8a21d6690
                                                                                                                                                  • Instruction Fuzzy Hash: BC21F571604240DFDB11DF58DDC8B26BFA5FB84354F28C669E8494B386C336D847CA62
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 016ED118 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.526255179.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_16ed000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f58b25997849a63e8a07a9c310c8b1524652e7720caed8fd2b732a43751b446f
                                                                                                                                                  • Instruction ID: a9e312715c4c39306ccc089f46cfbd886928b3f0ec02b44bc6e3b7e2317f418d
                                                                                                                                                  • Opcode Fuzzy Hash: f58b25997849a63e8a07a9c310c8b1524652e7720caed8fd2b732a43751b446f
                                                                                                                                                  • Instruction Fuzzy Hash: E221F2B1604340DFDB05DF68D9C8B66BFA5FB84319F24C6ADE8494B346C336D846C662
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 016ED113 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.526255179.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_16ed000_CsTapHIkAO.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4476479e99e71de4bf8c908fc859b99c75cf1e178d910189c4bdf6755b09acdd
                                                                                                                                                  • Instruction ID: fd6a89087389910ad3e97277ad25270eb07d18ff8c7da9d98eda385675742281
                                                                                                                                                  • Opcode Fuzzy Hash: 4476479e99e71de4bf8c908fc859b99c75cf1e178d910189c4bdf6755b09acdd
                                                                                                                                                  • Instruction Fuzzy Hash: 1D11BB75504280CFDB06CF24C9C8B15BFA2FB84218F24C6ADD8494B756C33AD44ACB52
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:9.6%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                  Total number of Nodes:97
                                                                                                                                                  Total number of Limit Nodes:8
                                                                                                                                                  execution_graph 15161 66a4e28 FindCloseChangeNotification 15162 66a4e8f 15161->15162 15163 b240d0 15164 b240e2 15163->15164 15167 b240ee 15164->15167 15169 b241e0 15164->15169 15166 b2410d 15174 b23c64 15167->15174 15170 b24205 15169->15170 15178 b242e0 15170->15178 15182 b242d0 15170->15182 15175 b23c6f 15174->15175 15190 b251a4 15175->15190 15177 b27241 15177->15166 15180 b24307 15178->15180 15179 b243e4 15179->15179 15180->15179 15186 b23de8 15180->15186 15184 b24307 15182->15184 15183 b243e4 15183->15183 15184->15183 15185 b23de8 CreateActCtxA 15184->15185 15185->15183 15187 b25370 CreateActCtxA 15186->15187 15189 b25433 15187->15189 15191 b251af 15190->15191 15194 b26dc0 15191->15194 15193 b2784d 15193->15177 15195 b26dcb 15194->15195 15198 b26df0 15195->15198 15197 b27922 15197->15193 15199 b26dfb 15198->15199 15202 b26e20 15199->15202 15201 b27a22 15201->15197 15204 b26e2b 15202->15204 15203 b2817c 15203->15201 15204->15203 15206 b2c038 15204->15206 15207 b2c069 15206->15207 15208 b2c08d 15207->15208 15212 b2c1b5 15207->15212 15217 b2c1e8 15207->15217 15221 b2c1f8 15207->15221 15208->15203 15213 b2c1cb 15212->15213 15215 b2c213 15212->15215 15213->15208 15214 b2c23f 15214->15208 15215->15214 15225 b2a9c4 15215->15225 15218 b2c205 15217->15218 15219 b2c23f 15218->15219 15220 b2a9c4 2 API calls 15218->15220 15219->15208 15220->15219 15222 b2c205 15221->15222 15223 b2c23f 15222->15223 15224 b2a9c4 2 API calls 15222->15224 15223->15208 15224->15223 15226 b2a9cf 15225->15226 15228 b2cf38 15226->15228 15229 b2c574 15226->15229 15228->15228 15230 b2c57f 15229->15230 15231 b26e20 2 API calls 15230->15231 15232 b2cfa7 15231->15232 15235 b2ed5c 15232->15235 15236 b2cfe0 15235->15236 15237 b2ed75 15235->15237 15236->15228 15239 b2f1b0 LoadLibraryExW GetModuleHandleW 15237->15239 15240 b2f19f LoadLibraryExW GetModuleHandleW 15237->15240 15238 b2edad 15239->15238 15240->15238 15241 b29f30 15244 b2a028 15241->15244 15242 b29f3f 15245 b2a03b 15244->15245 15246 b2a053 15245->15246 15252 b2a2b0 15245->15252 15256 b2a2a0 15245->15256 15246->15242 15247 b2a04b 15247->15246 15248 b2a250 GetModuleHandleW 15247->15248 15249 b2a27d 15248->15249 15249->15242 15253 b2a2c4 15252->15253 15255 b2a2e9 15253->15255 15260 b293d8 15253->15260 15255->15247 15257 b2a2c4 15256->15257 15258 b293d8 LoadLibraryExW 15257->15258 15259 b2a2e9 15257->15259 15258->15259 15259->15247 15261 b2a490 LoadLibraryExW 15260->15261 15263 b2a509 15261->15263 15263->15255 15264 b2c310 GetCurrentProcess 15265 b2c38a GetCurrentThread 15264->15265 15267 b2c383 15264->15267 15266 b2c3c7 GetCurrentProcess 15265->15266 15269 b2c3c0 15265->15269 15268 b2c3fd 15266->15268 15267->15265 15270 b2c425 GetCurrentThreadId 15268->15270 15269->15266 15271 b2c456 15270->15271 15282 b2c940 DuplicateHandle 15283 b2c9d6 15282->15283 15272 66a27a0 15273 66a292b 15272->15273 15274 66a27c6 15272->15274 15274->15273 15277 66a2a19 15274->15277 15280 66a2a20 PostMessageW 15274->15280 15278 66a2a23 PostMessageW 15277->15278 15279 66a2a8c 15278->15279 15279->15274 15281 66a2a8c 15280->15281 15281->15274

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 00B2C300 Relevance: 6.1, APIs: 4, Instructions: 122threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00B2C370
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 00B2C3AD
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00B2C3EA
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00B2C443
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332947052.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_b20000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                  • Opcode ID: 1e6b9786950b9698a7a1c58bd588517176d57b3865f1a0fb48c77f9c84ea7b30
                                                                                                                                                  • Instruction ID: 9a7c5fb85a608487148e0b8f678ddfc30e6caef235dbec74e612c137663991b3
                                                                                                                                                  • Opcode Fuzzy Hash: 1e6b9786950b9698a7a1c58bd588517176d57b3865f1a0fb48c77f9c84ea7b30
                                                                                                                                                  • Instruction Fuzzy Hash: 375144B09003498FDB14DFAAD548B9EBFF0EF48314F2484A9E409A7350D7746944CF6A
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00B2C310 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00B2C370
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 00B2C3AD
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00B2C3EA
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00B2C443
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332947052.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_b20000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                  • Opcode ID: becf1c9cccc3f06e6353497fdea9b6114c3658a1f06a39fe3a4e791eb0487e2e
                                                                                                                                                  • Instruction ID: d077e53d7528c00f5071f0c2dd9d78c74bd357829192e5f77e2395227f92015b
                                                                                                                                                  • Opcode Fuzzy Hash: becf1c9cccc3f06e6353497fdea9b6114c3658a1f06a39fe3a4e791eb0487e2e
                                                                                                                                                  • Instruction Fuzzy Hash: 6A5122B09007498FDB14DFAAD548BEEBFF0EF48314F248869E419A7350D774A944CB6A
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00B2A028 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 38 b2a028-b2a03d call b29370 41 b2a053-b2a057 38->41 42 b2a03f 38->42 43 b2a06b-b2a0ac 41->43 44 b2a059-b2a063 41->44 93 b2a045 call b2a2b0 42->93 94 b2a045 call b2a2a0 42->94 49 b2a0b9-b2a0c7 43->49 50 b2a0ae-b2a0b6 43->50 44->43 45 b2a04b-b2a04d 45->41 46 b2a188-b2a248 45->46 86 b2a250-b2a27b GetModuleHandleW 46->86 87 b2a24a-b2a24d 46->87 51 b2a0eb-b2a0ed 49->51 52 b2a0c9-b2a0ce 49->52 50->49 56 b2a0f0-b2a0f7 51->56 54 b2a0d0-b2a0d7 call b2937c 52->54 55 b2a0d9 52->55 59 b2a0db-b2a0e9 54->59 55->59 60 b2a104-b2a10b 56->60 61 b2a0f9-b2a101 56->61 59->56 63 b2a118-b2a121 call b2938c 60->63 64 b2a10d-b2a115 60->64 61->60 68 b2a123-b2a12b 63->68 69 b2a12e-b2a133 63->69 64->63 68->69 71 b2a151-b2a155 69->71 72 b2a135-b2a13c 69->72 91 b2a158 call b2a580 71->91 92 b2a158 call b2a5a8 71->92 72->71 73 b2a13e-b2a14e call b2939c call b293ac 72->73 73->71 76 b2a15b-b2a15e 79 b2a160-b2a17e 76->79 80 b2a181-b2a187 76->80 79->80 88 b2a284-b2a298 86->88 89 b2a27d-b2a283 86->89 87->86 89->88 91->76 92->76 93->45 94->45
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00B2A26E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332947052.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_b20000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: ddc02bce44a75dd0f4f8da39298e3ba42502a3d8d25443c73f8c409192769653
                                                                                                                                                  • Instruction ID: 67e833e62cd9801c2629ac479291369b1d1fc90e73ba1a3a13a28f2bdfc08429
                                                                                                                                                  • Opcode Fuzzy Hash: ddc02bce44a75dd0f4f8da39298e3ba42502a3d8d25443c73f8c409192769653
                                                                                                                                                  • Instruction Fuzzy Hash: 21712470A00B158FDB24DF6AE44175ABBF1FF88314F008A6ED44AD7A50DB35E8458F92
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00B25364 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 95 b25364-b25431 CreateActCtxA 97 b25433-b25439 95->97 98 b2543a-b25494 95->98 97->98 105 b254a3-b254a7 98->105 106 b25496-b25499 98->106 107 b254b8 105->107 108 b254a9-b254b5 105->108 106->105 110 b254b9 107->110 108->107 110->110
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 00B25421
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332947052.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_b20000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: 84d963bffcbb73c1536dc9e0890d4d0b281ebc4a709e99a6323fe50d0e95bed1
                                                                                                                                                  • Instruction ID: a901e11213262a91266f4cd0c257a1c887bc5a777265e88939b6434f3834e2ad
                                                                                                                                                  • Opcode Fuzzy Hash: 84d963bffcbb73c1536dc9e0890d4d0b281ebc4a709e99a6323fe50d0e95bed1
                                                                                                                                                  • Instruction Fuzzy Hash: 6841E371D00618CFDB24DFAAC9847CDBBB1BF48304F24816AD418AB355D775598ACF91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00B23DE8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 111 b23de8-b25431 CreateActCtxA 114 b25433-b25439 111->114 115 b2543a-b25494 111->115 114->115 122 b254a3-b254a7 115->122 123 b25496-b25499 115->123 124 b254b8 122->124 125 b254a9-b254b5 122->125 123->122 127 b254b9 124->127 125->124 127->127
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 00B25421
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332947052.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_b20000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: 72123a9f9ecc5ce3b17524e35ceded9910b610519411929184ece67a8302fbc1
                                                                                                                                                  • Instruction ID: 2afb4cef9a2feefd4393b63499a665e614398188918e9dd98e739e1e4d5ee584
                                                                                                                                                  • Opcode Fuzzy Hash: 72123a9f9ecc5ce3b17524e35ceded9910b610519411929184ece67a8302fbc1
                                                                                                                                                  • Instruction Fuzzy Hash: 7E41F471C00618CFDB24DFAAC844B9EBBF5BF44304F2480A9D418AB255D7756989CF91
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00B2C938 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 128 b2c938-b2c9d4 DuplicateHandle 129 b2c9d6-b2c9dc 128->129 130 b2c9dd-b2c9fa 128->130 129->130
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B2C9C7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332947052.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_b20000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: 6b06de541833354ebd1048658d522c78b3b8b46a87f2a92a43828fa871a6c218
                                                                                                                                                  • Instruction ID: 92fcf47c6dabf0688f5c4588a9ea277e57f0f11b5529791e1eebf15b59ba21d9
                                                                                                                                                  • Opcode Fuzzy Hash: 6b06de541833354ebd1048658d522c78b3b8b46a87f2a92a43828fa871a6c218
                                                                                                                                                  • Instruction Fuzzy Hash: 5D2123B69002499FDB00CFAAD484ADEFFF4EF48320F14845AE814A3310D374AA94CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00B2C940 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 133 b2c940-b2c9d4 DuplicateHandle 134 b2c9d6-b2c9dc 133->134 135 b2c9dd-b2c9fa 133->135 134->135
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B2C9C7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332947052.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_b20000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: f7b4b02c3efb96b8b79e4b76f05cf151d7f02a3bf719b5f5299c7b088d355007
                                                                                                                                                  • Instruction ID: 80fc0b3ecac2d22fe54235eb9b9e721f3a4f5d6354541cd30d350003ce00a9e1
                                                                                                                                                  • Opcode Fuzzy Hash: f7b4b02c3efb96b8b79e4b76f05cf151d7f02a3bf719b5f5299c7b088d355007
                                                                                                                                                  • Instruction Fuzzy Hash: AF21E4B59002089FDB10CFAAD584ADEBFF8EB48324F14845AE914B3350D374A954CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00B293D8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 138 b293d8-b2a4d0 140 b2a4d2-b2a4d5 138->140 141 b2a4d8-b2a507 LoadLibraryExW 138->141 140->141 142 b2a510-b2a52d 141->142 143 b2a509-b2a50f 141->143 143->142
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B2A2E9,00000800,00000000,00000000), ref: 00B2A4FA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332947052.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_b20000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: 2bdbb91c336b81e5c0f3a59359d12f53d45ce7e27725a2b2824f400cdb669b59
                                                                                                                                                  • Instruction ID: 0ca0b5d7becfbf562e23ecce727c3f80139c49c151d9dae0385e250e6dfe2dc8
                                                                                                                                                  • Opcode Fuzzy Hash: 2bdbb91c336b81e5c0f3a59359d12f53d45ce7e27725a2b2824f400cdb669b59
                                                                                                                                                  • Instruction Fuzzy Hash: 4B1136B29003199FDB10CF9AD444AAEFBF4EB48324F14846EE419B7300C375A945CFA6
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00B2A488 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 146 b2a488-b2a4d0 147 b2a4d2-b2a4d5 146->147 148 b2a4d8-b2a507 LoadLibraryExW 146->148 147->148 149 b2a510-b2a52d 148->149 150 b2a509-b2a50f 148->150 150->149
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B2A2E9,00000800,00000000,00000000), ref: 00B2A4FA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332947052.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_b20000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                  • Opcode ID: 944e16a6db4e05e9f81de28c139eba8dddda1987b7170b451f3bb0106c510416
                                                                                                                                                  • Instruction ID: eb6f1c8af4c56dc67d571ad2cd2deffa6812ff73d535c46271de5133816bb863
                                                                                                                                                  • Opcode Fuzzy Hash: 944e16a6db4e05e9f81de28c139eba8dddda1987b7170b451f3bb0106c510416
                                                                                                                                                  • Instruction Fuzzy Hash: F11114B69002498FDB10CFAAD444AEEFBF4AB48314F14845AD429B7650C375A545CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 066A4E21 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 153 66a4e21-66a4e8d FindCloseChangeNotification 154 66a4e8f-66a4e95 153->154 155 66a4e96-66a4ebe 153->155 154->155
                                                                                                                                                  APIs
                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 066A4E80
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.344667778.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_66a0000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2591292051-0
                                                                                                                                                  • Opcode ID: 62ad766462445b13aa1e1fc50f89f77f83026baff476005110e7f7043f033802
                                                                                                                                                  • Instruction ID: c62f419a06d8f5a77f624ac92b6a3da1d76d545f074fe12fddc028b5441d0c5b
                                                                                                                                                  • Opcode Fuzzy Hash: 62ad766462445b13aa1e1fc50f89f77f83026baff476005110e7f7043f033802
                                                                                                                                                  • Instruction Fuzzy Hash: C91158B1C003498FCB50CFAAC444BDEBBF4EB48324F24841AD418A7740D778A545CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 066A4E28 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 164 66a4e28-66a4e8d FindCloseChangeNotification 165 66a4e8f-66a4e95 164->165 166 66a4e96-66a4ebe 164->166 165->166
                                                                                                                                                  APIs
                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 066A4E80
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.344667778.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_66a0000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2591292051-0
                                                                                                                                                  • Opcode ID: c8331503b91807a11c0d2f4577e1954eb7169b44954ccb9bde9e5f356a9b1244
                                                                                                                                                  • Instruction ID: 17dbfc4861051881a7b8a0355d51d594999b79c9c23cadf20879f30dbc9dcb6b
                                                                                                                                                  • Opcode Fuzzy Hash: c8331503b91807a11c0d2f4577e1954eb7169b44954ccb9bde9e5f356a9b1244
                                                                                                                                                  • Instruction Fuzzy Hash: 201133B18003498FCB50CFAAC444BDEBBF4EB48324F24841AD958A7740D779AA44CFA6
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 00B2A208 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 158 b2a208-b2a248 159 b2a250-b2a27b GetModuleHandleW 158->159 160 b2a24a-b2a24d 158->160 161 b2a284-b2a298 159->161 162 b2a27d-b2a283 159->162 160->159 162->161
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00B2A26E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332947052.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_b20000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: 685cdd99f1108c946e6316e196a98a45665d7fb9fff84ec868fe2e71816a7a33
                                                                                                                                                  • Instruction ID: f1b5695264fa6d2f9008cb19ac8c9d0eeb0430749328bd2d1448b83369ba706a
                                                                                                                                                  • Opcode Fuzzy Hash: 685cdd99f1108c946e6316e196a98a45665d7fb9fff84ec868fe2e71816a7a33
                                                                                                                                                  • Instruction Fuzzy Hash: 52110FB6C00249CFCB10CF9AD844ADEFBF4EB88324F14855AD829A7600D379A545CFA2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 066A2A19 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 169 66a2a19-66a2a8a PostMessageW 171 66a2a8c-66a2a92 169->171 172 66a2a93-66a2aa7 169->172 171->172
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 066A2A7D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.344667778.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_66a0000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                  • Opcode ID: 57494d6035b1bd972bbdc704be2a93d0bc2171851264b6c055c3178e39e8b41f
                                                                                                                                                  • Instruction ID: 8bca96067d030794d11f94d116b292e5f6912944acc8fd2a5677d4f7abd0632a
                                                                                                                                                  • Opcode Fuzzy Hash: 57494d6035b1bd972bbdc704be2a93d0bc2171851264b6c055c3178e39e8b41f
                                                                                                                                                  • Instruction Fuzzy Hash: 9B1136B58003098FDB10CF9AC884BDEBBF8EB48324F14850AE524A3640C3746A84CFA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 066A2A20 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 174 66a2a20-66a2a8a PostMessageW 175 66a2a8c-66a2a92 174->175 176 66a2a93-66a2aa7 174->176 175->176
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 066A2A7D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.344667778.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_66a0000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                  • Opcode ID: b5ed625d26c88c33da5247bd06cc2055743a54e8dc3e54dad25d0fec1aba2d18
                                                                                                                                                  • Instruction ID: 0d7df2c212d126d61f95dab9de361d92510976c362e5c8be40e41881292eb6fc
                                                                                                                                                  • Opcode Fuzzy Hash: b5ed625d26c88c33da5247bd06cc2055743a54e8dc3e54dad25d0fec1aba2d18
                                                                                                                                                  • Instruction Fuzzy Hash: E21115B58003499FDB50CF9AC884BDEFBF8EB48324F148419E914A3700D375AA54CFA5
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0087D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332562338.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_87d000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ebec13e55fa37d901d095f0ad4960dc00ef29b33b88ae272cd3282a61e6c6a33
                                                                                                                                                  • Instruction ID: 2f6db8d9bf020502e7e908128cb9dbcb80e095ae33dae58b7638d69a5cb86cae
                                                                                                                                                  • Opcode Fuzzy Hash: ebec13e55fa37d901d095f0ad4960dc00ef29b33b88ae272cd3282a61e6c6a33
                                                                                                                                                  • Instruction Fuzzy Hash: 34210672500344DFDB01DF14D9C0B26BF75FF98324F24C569E8098B24AC336E856D6A2
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0088D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332620575.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_88d000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 29ca6e2f0f66984db6c506d079f0f7a09a98c9c2fda903ca182f9ddca7304bf3
                                                                                                                                                  • Instruction ID: 94ee31eba1285028109c82a7f44571377ba6ff6923c41918aa79909e15f8b520
                                                                                                                                                  • Opcode Fuzzy Hash: 29ca6e2f0f66984db6c506d079f0f7a09a98c9c2fda903ca182f9ddca7304bf3
                                                                                                                                                  • Instruction Fuzzy Hash: 7921F571604744DFDB15EF24D9C4B26BB65FB84318F24C569E8498B286C336D847CB61
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0088D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332620575.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_88d000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0501fb4c16b4d321d2af2958d5ab440e90692ec4619c3c65fa45e5225ff7fb54
                                                                                                                                                  • Instruction ID: 99f2f2eae5442cce32b02fc8c4bfcd5db5703c5202e4404e8710a83e847496ea
                                                                                                                                                  • Opcode Fuzzy Hash: 0501fb4c16b4d321d2af2958d5ab440e90692ec4619c3c65fa45e5225ff7fb54
                                                                                                                                                  • Instruction Fuzzy Hash: 52210771604344DFDB11EF64D5C0B26FB65FB84318F24C6ADE8498B285C336E846CB61
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0087D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332562338.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_87d000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f11c0ec260945676c560dd4e69ce8059961bef1f565240baec4612520ab4a839
                                                                                                                                                  • Instruction ID: 4c9bb13c8d889b017a5cdb131f1d60d8a1232626d9b27fda4183c570b1884e3e
                                                                                                                                                  • Opcode Fuzzy Hash: f11c0ec260945676c560dd4e69ce8059961bef1f565240baec4612520ab4a839
                                                                                                                                                  • Instruction Fuzzy Hash: 1611AF76504280DFDB12CF14D5C4B16BF71FB94324F28C6A9D8494B61AC33AE85ACBA1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0088D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332620575.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_88d000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a83792440f48484744767575037aa23603e1ac30f97161f2de9761c246bf89fe
                                                                                                                                                  • Instruction ID: 804958f2f9ab2f249d6e009ec682fc0679e1a24391bb6582299057aca71348fa
                                                                                                                                                  • Opcode Fuzzy Hash: a83792440f48484744767575037aa23603e1ac30f97161f2de9761c246bf89fe
                                                                                                                                                  • Instruction Fuzzy Hash: 2711BE75504280DFCB12DF14C5C4B15FB61FB84314F24C6ADD8498B696C33AE84ACB51
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0088D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332620575.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_88d000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a83792440f48484744767575037aa23603e1ac30f97161f2de9761c246bf89fe
                                                                                                                                                  • Instruction ID: 38ba14b228b611d054b44d5aac9229c3fdaa346af0fc5edb6be702fce9023594
                                                                                                                                                  • Opcode Fuzzy Hash: a83792440f48484744767575037aa23603e1ac30f97161f2de9761c246bf89fe
                                                                                                                                                  • Instruction Fuzzy Hash: A811BE75504780CFDB11DF14D5D4B15FB61FB44314F24C6A9D8498B696C33AD84ACB61
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0087D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332562338.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_87d000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 87cde7d3218bddc5ff5dc91c9f2abdc8efb12c1b3d93b2cb80d31b4cec376cb3
                                                                                                                                                  • Instruction ID: 14d6485e6df7b4bbc846b003ff30bee94b0d4268e15e59fab7e162eecc5c2327
                                                                                                                                                  • Opcode Fuzzy Hash: 87cde7d3218bddc5ff5dc91c9f2abdc8efb12c1b3d93b2cb80d31b4cec376cb3
                                                                                                                                                  • Instruction Fuzzy Hash: D301FC711043449AE7144A29CD84766BFA8FF513B8F18C559ED489F289D379D844C6B1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                  Function 0087D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000B.00000002.332562338.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_11_2_87d000_BKEDEaL.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 854710d8610aa4bb3360940eb3e9705a066d990fea97c869a82d937fde40eec9
                                                                                                                                                  • Instruction ID: 83e0c26fe87f31c718686bb8ed33249a8e5ce2ab999411c3d0b3a145dc3a1275
                                                                                                                                                  • Opcode Fuzzy Hash: 854710d8610aa4bb3360940eb3e9705a066d990fea97c869a82d937fde40eec9
                                                                                                                                                  • Instruction Fuzzy Hash: 6DF062714043449AE7148E1ACD88B62FFA8EF91774F18C55EED489B68AC3799C44CAB1
                                                                                                                                                  Uniqueness

                                                                                                                                                  Uniqueness Score: -1.00%