Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CsTapHIkAO.exe

Overview

General Information

Sample Name:CsTapHIkAO.exe
Original Sample Name:fc7ad54f4f2e785ad748d952945cc888.exe
Analysis ID:830842
MD5:fc7ad54f4f2e785ad748d952945cc888
SHA1:890ab6267da79e151b8c42e9f7f6a19d59a0eb4a
SHA256:745334ebcf459ec748d00eaf3bcb94045cebdd6275aca548255c1c922f0f9d9d
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Stores large binary data to the registry
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Adds / modifies Windows certificates
Drops PE files
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • CsTapHIkAO.exe (PID: 2416 cmdline: C:\Users\user\Desktop\CsTapHIkAO.exe MD5: FC7AD54F4F2E785AD748D952945CC888)
    • CsTapHIkAO.exe (PID: 4496 cmdline: C:\Users\user\Desktop\CsTapHIkAO.exe MD5: FC7AD54F4F2E785AD748D952945CC888)
  • BKEDEaL.exe (PID: 1244 cmdline: "C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe" MD5: FC7AD54F4F2E785AD748D952945CC888)
    • BKEDEaL.exe (PID: 5316 cmdline: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe MD5: FC7AD54F4F2E785AD748D952945CC888)
  • BKEDEaL.exe (PID: 3408 cmdline: "C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe" MD5: FC7AD54F4F2E785AD748D952945CC888)
    • BKEDEaL.exe (PID: 5116 cmdline: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe MD5: FC7AD54F4F2E785AD748D952945CC888)
    • BKEDEaL.exe (PID: 5576 cmdline: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe MD5: FC7AD54F4F2E785AD748D952945CC888)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.spjsv.ro", "Username": "psihiatrie@spjsv.ro", "Password": "Qpgi1i[5KoaZ"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000C.00000002.529011306.0000000002DCC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000002.527812814.0000000002D1C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: CsTapHIkAO.exe PID: 4496JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: CsTapHIkAO.exeReversingLabs: Detection: 30%
            Source: CsTapHIkAO.exeVirustotal: Detection: 41%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeReversingLabs: Detection: 30%
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeVirustotal: Detection: 41%Perma Link
            Machine Learning detection for sample
            Source: CsTapHIkAO.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeJoe Sandbox ML: detected
            Source: 0.2.CsTapHIkAO.exe.3e30db0.7.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.spjsv.ro", "Username": "psihiatrie@spjsv.ro", "Password": "Qpgi1i[5KoaZ"}
            Source: CsTapHIkAO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49707 version: TLS 1.2
            Source: CsTapHIkAO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: ltqW.pdb source: CsTapHIkAO.exe, BKEDEaL.exe.1.dr
            Source: Binary string: ltqW.pdbSHA256"<P source: CsTapHIkAO.exe, BKEDEaL.exe.1.dr

            Networking

            barindex
            May check the online IP address of the machine
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeDNS query: name: api.ipify.org
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewIP Address: 104.237.62.211 104.237.62.211
            Source: Joe Sandbox ViewIP Address: 89.43.174.45 89.43.174.45
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.2.3:49701 -> 89.43.174.45:26
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.374393467.0000000001015000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006B35000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.000000000655F000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.374393467.0000000001015000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateSe
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
            Source: CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.350298559.0000000001033000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.382899429.00000000010B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.374393467.0000000001015000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
            Source: CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
            Source: CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.spjsv.ro
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
            Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006B35000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.000000000655F000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006B35000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.000000000655F000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
            Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
            Source: CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
            Source: CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
            Source: CsTapHIkAO.exe, 00000001.00000002.553832121.0000000007AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
            Source: CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
            Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
            Source: CsTapHIkAO.exe, 00000001.00000003.311064572.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
            Source: CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B9F000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
            Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
            Source: CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
            Source: CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006BC1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010A2000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006BC1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010A2000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eca.hinet.net/repository0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
            Source: CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
            Source: CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
            Source: CsTapHIkAO.exe, 00000001.00000003.311064572.0000000006B42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
            Source: CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
            Source: CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
            Source: unknownDNS traffic detected: queries for: api.ipify.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.3:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.3:49707 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\CsTapHIkAO.exe
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWindow created: window name: CLIPBRDWNDCLASS
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWindow created: window name: CLIPBRDWNDCLASS
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWindow created: window name: CLIPBRDWNDCLASS
            Source: CsTapHIkAO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 0_2_010AC844
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 0_2_010AF1E8
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 0_2_010AF1F8
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_0179C978
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_0179A9B8
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_01799DA0
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_0179A0E8
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06D8C6F0
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06D8F218
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06D87C21
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06D86840
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DBE650
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DBB570
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DB4690
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DB8F98
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DB7FB8
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DB1D48
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06F421CC
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06F42F48
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06F4ADE0
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06F42F38
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_00B2C844
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_00B2F1F8
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_00B2F1E8
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_066A00B0
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_066A44C2
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_066A00C6
            Source: CsTapHIkAO.exe, 00000000.00000002.299330117.0000000007210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000000.00000002.274302324.0000000002B07000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000000.00000002.274302324.0000000002B07000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename72bf0450-d492-48ae-a6de-5246371049be.exe4 vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000000.00000002.274302324.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000000.00000002.278694317.0000000003E30000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename72bf0450-d492-48ae-a6de-5246371049be.exe4 vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000000.00000002.278694317.0000000003AC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000000.00000000.251613107.000000000070A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameltqW.exe> vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exe, 00000001.00000002.522177243.0000000000FA9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exeBinary or memory string: OriginalFilenameltqW.exe> vs CsTapHIkAO.exe
            Source: CsTapHIkAO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: BKEDEaL.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: CsTapHIkAO.exeReversingLabs: Detection: 30%
            Source: CsTapHIkAO.exeVirustotal: Detection: 41%
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Users\user\Desktop\CsTapHIkAO.exeJump to behavior
            Source: CsTapHIkAO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\CsTapHIkAO.exe C:\Users\user\Desktop\CsTapHIkAO.exe
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess created: C:\Users\user\Desktop\CsTapHIkAO.exe C:\Users\user\Desktop\CsTapHIkAO.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe "C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe"
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe "C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe"
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess created: C:\Users\user\Desktop\CsTapHIkAO.exe C:\Users\user\Desktop\CsTapHIkAO.exe
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CsTapHIkAO.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/9@12/3
            Source: CsTapHIkAO.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: CsTapHIkAO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: CsTapHIkAO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: CsTapHIkAO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: ltqW.pdb source: CsTapHIkAO.exe, BKEDEaL.exe.1.dr
            Source: Binary string: ltqW.pdbSHA256"<P source: CsTapHIkAO.exe, BKEDEaL.exe.1.dr
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 0_2_010ACB38 pushfd ; ret
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_0179B9C0 push es; ret
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DB26E0 push FFFFFF8Bh; iretd
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06DBD210 push es; ret
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_06F4760A push es; ret
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_066A247D push es; retf
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_066A240F push es; retf
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeCode function: 11_2_066A24F9 push 00000006h; retf
            Source: initial sampleStatic PE information: section name: .text entropy: 7.86900119148787
            Source: initial sampleStatic PE information: section name: .text entropy: 7.86900119148787
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeJump to dropped file
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BKEDEaLJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BKEDEaLJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile opened: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe:Zone.Identifier read attributes | delete
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 3924Thread sleep time: -40023s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 2816Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5208Thread sleep count: 9330 > 30
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -10145709240540247s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1200000s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1198454s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1195797s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1195640s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1195499s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1195373s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1195094s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1194954s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1194797s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1194651s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1194531s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1194389s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1194179s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193949s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193794s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193641s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193511s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193363s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193250s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1193140s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192992s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192824s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192713s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192589s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192485s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192356s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192249s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1192047s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191934s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191811s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191641s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191501s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191375s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191262s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191156s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1191030s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1190887s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1190751s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1190594s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1190468s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -1190342s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -100000s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99844s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99733s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99605s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99483s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99341s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99217s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -99107s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -98998s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -98868s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -98763s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -98652s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -98542s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -98204s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exe TID: 5196Thread sleep time: -97954s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 1708Thread sleep time: -40023s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 5444Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 5152Thread sleep count: 9101 > 30
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -9223372036854770s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1200000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1199704s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1199500s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1199286s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1199172s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1199000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1198875s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1198703s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1198593s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1198469s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1198358s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1198156s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1197907s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1197750s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1197601s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1197407s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1197117s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196994s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196844s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196700s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196547s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196406s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196297s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196168s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1196047s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1195859s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1195704s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1195547s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1195401s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1195250s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1195047s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1194907s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1194703s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1194578s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1194454s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1194250s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1194108s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1193954s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1193797s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1193657s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1193500s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1193387s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -1193157s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -100000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99802s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99687s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99564s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99437s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99327s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99215s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -99104s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -98993s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -98874s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -98764s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4300Thread sleep time: -98656s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4768Thread sleep time: -40023s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 3044Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 3332Thread sleep count: 9068 > 30
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -12912720851596678s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1200000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1199594s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1199335s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1199203s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1199000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1198782s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1198641s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1198391s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1198203s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1198047s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1197797s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1197671s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1197547s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1197406s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1197273s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1197126s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196983s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196797s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196688s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196547s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196432s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196264s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1196094s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195852s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195724s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195594s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195484s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195326s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195196s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1195047s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194919s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194797s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194641s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194500s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194370s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194203s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1194088s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193953s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193843s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193700s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193541s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193391s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193250s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1193101s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1192984s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1192837s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1192719s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1192610s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -1192453s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -100000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99844s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99688s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99578s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99469s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99359s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99250s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99140s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -99031s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98921s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98812s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98703s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98578s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98469s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98360s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98188s >= -30000s
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe TID: 4860Thread sleep time: -98047s >= -30000s
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1200000
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1198454
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195797
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195640
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195499
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195373
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195094
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194954
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194797
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194651
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194531
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194389
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194179
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193949
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193794
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193641
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193511
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193363
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193250
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193140
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192992
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192824
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192713
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192589
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192485
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192356
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192249
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192047
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191934
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191811
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191641
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191501
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191375
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191262
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191156
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191030
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190887
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190751
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190594
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190468
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190342
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1200000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199704
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199500
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199286
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199172
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198875
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198703
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198593
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198469
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198358
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198156
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197907
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197750
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197601
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197407
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197117
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196994
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196844
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196700
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196547
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196406
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196297
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196168
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196047
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195859
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195704
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195547
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195401
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195250
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195047
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194907
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194703
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194578
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194454
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194250
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194108
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193954
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193657
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193500
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193387
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193157
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1200000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199594
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199335
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199203
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198782
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198641
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198391
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198203
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198047
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197671
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197547
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197406
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197273
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197126
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196983
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196688
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196547
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196432
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196264
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196094
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195852
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195724
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195594
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195484
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195326
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195196
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195047
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194919
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194641
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194500
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194370
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194203
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194088
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193953
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193843
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193700
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193541
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193391
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193250
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193101
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192984
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192837
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192719
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192610
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192453
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWindow / User API: threadDelayed 9330
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWindow / User API: threadDelayed 9101
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWindow / User API: threadDelayed 9068
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 40023
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1200000
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1198454
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195797
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195640
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195499
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195373
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1195094
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194954
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194797
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194651
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194531
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194389
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1194179
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193949
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193794
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193641
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193511
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193363
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193250
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1193140
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192992
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192824
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192713
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192589
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192485
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192356
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192249
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1192047
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191934
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191811
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191641
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191501
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191375
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191262
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191156
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1191030
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190887
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190751
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190594
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190468
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 1190342
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 100000
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99844
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99733
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99605
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99483
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99341
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99217
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 99107
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 98998
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 98868
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 98763
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 98652
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 98542
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 98204
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeThread delayed: delay time: 97954
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 40023
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1200000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199704
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199500
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199286
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199172
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198875
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198703
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198593
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198469
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198358
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198156
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197907
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197750
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197601
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197407
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197117
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196994
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196844
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196700
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196547
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196406
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196297
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196168
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196047
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195859
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195704
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195547
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195401
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195250
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195047
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194907
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194703
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194578
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194454
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194250
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194108
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193954
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193657
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193500
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193387
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193157
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 100000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99802
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99687
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99564
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99437
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99327
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99215
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99104
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98993
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98874
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98764
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98656
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 40023
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1200000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199594
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199335
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199203
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1199000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198782
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198641
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198391
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198203
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1198047
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197671
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197547
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197406
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197273
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1197126
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196983
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196688
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196547
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196432
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196264
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1196094
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195852
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195724
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195594
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195484
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195326
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195196
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1195047
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194919
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194797
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194641
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194500
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194370
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194203
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1194088
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193953
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193843
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193700
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193541
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193391
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193250
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1193101
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192984
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192837
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192719
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192610
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 1192453
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 100000
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99844
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99688
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99578
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99469
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99359
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99250
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99140
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 99031
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98921
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98812
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98703
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98578
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98469
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98360
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98188
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeThread delayed: delay time: 98047
            Source: BKEDEaL.exe, 0000000C.00000003.350298559.0000000001018000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
            Source: CsTapHIkAO.exe, 00000001.00000003.308498234.0000000006BB8000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311226037.0000000006BBA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BB8000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006BB8000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320215817.0000000006BBA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.307858436.0000000006BB3000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.317796217.0000000006BB8000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312368092.0000000006BBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: BKEDEaL.exe, 0000000F.00000003.382899429.00000000010B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeMemory written: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeProcess created: C:\Users\user\Desktop\CsTapHIkAO.exe C:\Users\user\Desktop\CsTapHIkAO.exe
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeProcess created: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Users\user\Desktop\CsTapHIkAO.exe VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Users\user\Desktop\CsTapHIkAO.exe VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeCode function: 1_2_0179F6D0 GetUserNameW,
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.529011306.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.527812814.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CsTapHIkAO.exe PID: 4496, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: BKEDEaL.exe PID: 5316, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: BKEDEaL.exe PID: 5576, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Users\user\Desktop\CsTapHIkAO.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
            Source: Yara matchFile source: 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CsTapHIkAO.exe PID: 4496, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: BKEDEaL.exe PID: 5316, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: BKEDEaL.exe PID: 5576, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.529011306.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.527812814.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CsTapHIkAO.exe PID: 4496, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: BKEDEaL.exe PID: 5316, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: BKEDEaL.exe PID: 5576, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts211
            Windows Management Instrumentation            		1
            Registry Run Keys / Startup Folder            		111
            Process Injection            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            Account Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Registry Run Keys / Startup Folder            		2
            Obfuscated Files or Information            		11
            Input Capture            		114
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		Exfiltration Over Bluetooth11
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
            Software Packing            		1
            Credentials in Registry            		1
            Query Registry            		SMB/Windows Admin Shares1
            Email Collection            		Automated Exfiltration1
            Non-Standard Port            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Masquerading            		NTDS211
            Security Software Discovery            		Distributed Component Object Model11
            Input Capture            		Scheduled Transfer2
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Modify Registry            		LSA Secrets1
            Process Discovery            		SSH1
            Clipboard Data            		Data Transfer Size Limits13
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common131
            Virtualization/Sandbox Evasion            		Cached Domain Credentials131
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items111
            Process Injection            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
            Hidden Files and Directories            		Proc Filesystem1
            System Owner/User Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
            Remote System Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
            System Network Configuration Discovery            		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 830842 Sample: CsTapHIkAO.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected AgentTesla 2->55 57 Machine Learning detection for sample 2->57 6 CsTapHIkAO.exe 3 2->6         started        10 BKEDEaL.exe 3 2->10         started        12 BKEDEaL.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\...\CsTapHIkAO.exe.log, ASCII 6->25 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->59 61 May check the online IP address of the machine 6->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->63 14 CsTapHIkAO.exe 17 10 6->14         started        65 Multi AV Scanner detection for dropped file 10->65 67 Machine Learning detection for dropped file 10->67 19 BKEDEaL.exe 14 7 10->19         started        69 Injects a PE file into a foreign processes 12->69 21 BKEDEaL.exe 12->21         started        23 BKEDEaL.exe 12->23         started        signatures5 process6 dnsIp7 31 api4.ipify.org 104.237.62.211, 443, 49700, 49705 WEBNXUS United States 14->31 33 mail.spjsv.ro 89.43.174.45, 26, 49701, 49704 CHROOTBucharestROMANIAEURO Romania 14->33 35 api.ipify.org 14->35 27 C:\Users\user\AppData\Roaming\...\BKEDEaL.exe, PE32 14->27 dropped 29 C:\Users\user\...\BKEDEaL.exe:Zone.Identifier, ASCII 14->29 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->43 45 Tries to steal Mail credentials (via file / registry access) 14->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->47 37 api.ipify.org 19->37 39 173.231.16.76, 443, 49707 WEBNXUS United States 21->39 41 api.ipify.org 21->41 49 Tries to harvest and steal browser information (history, passwords, etc) 21->49 51 Installs a global keyboard hook 21->51 file8 signatures9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            CsTapHIkAO.exe31%ReversingLabsByteCode-MSIL.Trojan.Generic
            CsTapHIkAO.exe41%VirustotalBrowse
            CsTapHIkAO.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe31%ReversingLabsByteCode-MSIL.Trojan.Generic
            C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe41%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            mail.spjsv.ro3%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
            http://www.e-me.lv/repository00%URL Reputationsafe
            http://www.acabogacia.org/doc00%URL Reputationsafe
            http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
            http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
            http://ocsp.suscerte.gob.ve00%URL Reputationsafe
            http://www.postsignum.cz/crl/psrootqca2.crl020%URL Reputationsafe
            http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
            http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
            http://www.chambersign.org10%URL Reputationsafe
            http://www.chambersign.org10%URL Reputationsafe
            http://www.suscerte.gob.ve/lcr0#0%URL Reputationsafe
            http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%URL Reputationsafe
            http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
            http://postsignum.ttc.cz/crl/psrootqca2.crl00%URL Reputationsafe
            http://postsignum.ttc.cz/crl/psrootqca2.crl00%URL Reputationsafe
            http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
            http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
            http://crl1.comsign.co.il/crl/comsignglobalrootca.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.suscerte.gob.ve/dpc00%URL Reputationsafe
            http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
            http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
            http://www.defence.gov.au/pki00%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sk.ee/cps/00%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
            http://policy.camerfirma.com00%URL Reputationsafe
            http://www.ssc.lt/cps030%URL Reputationsafe
            http://www.ssc.lt/cps030%URL Reputationsafe
            http://ocsp.pki.gva.es00%URL Reputationsafe
            http://ocsp.pki.gva.es00%URL Reputationsafe
            http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?0%URL Reputationsafe
            http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?0%URL Reputationsafe
            http://ca.mtin.es/mtin/ocsp00%URL Reputationsafe
            http://cps.letsencrypt.org00%URL Reputationsafe
            http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
            http://web.ncdc.gov.sa/crl/nrcacomb1.crl00%URL Reputationsafe
            http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G0%URL Reputationsafe
            https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
            https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
            http://www.dnie.es/dpc00%URL Reputationsafe
            http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf00%URL Reputationsafe
            http://ca.mtin.es/mtin/DPCyPoliticas00%URL Reputationsafe
            http://www.globaltrust.info00%URL Reputationsafe
            http://www.globaltrust.info00%URL Reputationsafe
            http://www.certplus.com/CRL/class3TS.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class3TS.crl00%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://ac.economia.gob.mx/last.crl0G0%URL Reputationsafe
            https://www.catcert.net/verarrel0%URL Reputationsafe
            http://www.disig.sk/ca0f0%URL Reputationsafe
            http://www.sk.ee/juur/crl/00%URL Reputationsafe
            http://crl.chambersign.org/chambersignroot.crl00%URL Reputationsafe
            http://crl.chambersign.org/chambersignroot.crl00%URL Reputationsafe
            http://certs.oati.net/repository/OATICA2.crl00%URL Reputationsafe
            http://certs.oati.net/repository/OATICA2.crl00%URL Reputationsafe
            http://crl.oces.trust2408.com/oces.crl00%URL Reputationsafe
            http://crl.oces.trust2408.com/oces.crl00%URL Reputationsafe
            http://www.quovadis.bm00%URL Reputationsafe
            http://www.globaltrust.info0=0%Avira URL Cloudsafe
            http://crl.ssc.lt/root-a/cacrl.crl00%URL Reputationsafe
            http://certs.oaticerts.com/repository/OATICA2.crl0%URL Reputationsafe
            http://www.trustdst.com/certificates/policy/ACES-index.html00%URL Reputationsafe
            http://certs.oati.net/repository/OATICA2.crt00%URL Reputationsafe
            http://www.accv.es000%URL Reputationsafe
            http://www.pkioverheid.nl/policies/root-policy-G200%URL Reputationsafe
            https://www.netlock.net/docs0%URL Reputationsafe
            http://www.e-trust.be/CPS/QNcerts0%URL Reputationsafe
            http://ocsp.ncdc.gov.sa00%URL Reputationsafe
            http://fedir.comsign.co.il/crl/ComSignCA.crl00%URL Reputationsafe
            http://fedir.comsign.co.il/crl/ComSignCA.crl00%URL Reputationsafe
            http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl00%URL Reputationsafe
            http://web.ncdc.gov.sa/crl/nrcaparta1.crl0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;0%URL Reputationsafe
            http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;0%URL Reputationsafe
            https://repository.luxtrust.lu00%URL Reputationsafe
            http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
            http://www.acabogacia.org00%URL Reputationsafe
            http://www.acabogacia.org00%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.uce.gub.uy/acrn/acrn.crl00%URL Reputationsafe
            http://mail.spjsv.ro0%Avira URL Cloudsafe
            http://mail.spjsv.ro3%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            api4.ipify.org
            		104.237.62.211
            		truefalse
              		high
              mail.spjsv.ro
              		89.43.174.45
              		truefalseunknown
              api.ipify.org
              		unknown
              		unknownfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.certplus.com/CRL/class3.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.e-me.lv/repository0CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.acabogacia.org/doc0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.chambersign.org/chambersroot.crl0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://ocsp.suscerte.gob.ve0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.postsignum.cz/crl/psrootqca2.crl02CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.dhimyotis.com/certignarootca.crl0CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.chambersign.org1CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://repository.swisssign.com/0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.suscerte.gob.ve/lcr0#CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.ssc.lt/root-c/cacrl.crl0CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://postsignum.ttc.cz/crl/psrootqca2.crl0CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlCsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ca.disig.sk/ca/crl/ca_disig.crl0CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.certplus.com/CRL/class3P.crl0CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/cTheCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.suscerte.gob.ve/dpc0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.certeurope.fr/reference/root2.crl0CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BC4000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.certplus.com/CRL/class2.crl0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.disig.sk/ca/crl/ca_disig.crl0CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.defence.gov.au/pki0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sk.ee/cps/0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.globaltrust.info0=CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.anf.esCsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.urwpp.deDPleaseCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCsTapHIkAO.exe, 00000001.00000002.527846084.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://pki.registradores.org/normativa/index.htm0CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://cps.root-x1.letsencrypt.org0CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.549357958.0000000006AF9000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.318417707.0000000006B20000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000003.374393467.0000000001015000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.549149990.0000000006870000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://policy.camerfirma.com0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.ssc.lt/cps03CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://ocsp.pki.gva.es0CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B71000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.anf.es/es/address-direccion.htmlCsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.anf.es/address/)1(0&CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://mail.spjsv.roCsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 3%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ca.mtin.es/mtin/ocsp0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://cps.letsencrypt.org0CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003160000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.320377682.0000000007AEA000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.550487471.0000000006B35000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.0000000003174000.00000004.00000800.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B60000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.553888439.0000000007B62000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000002.527846084.000000000314F000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.000000000655F000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000001008000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.529011306.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.523570604.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000C.00000002.549038631.0000000006578000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000003.397265850.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.527812814.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, BKEDEaL.exe, 0000000F.00000002.523285694.0000000001022000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://crl.ssc.lt/root-b/cacrl.crl0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://web.ncdc.gov.sa/crl/nrcacomb1.crl0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0GCsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://crl.pki.wellsfargo.com/wsprca.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://wwww.certigna.fr/autorites/0mCsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.dnie.es/dpc0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://ca.mtin.es/mtin/DPCyPoliticas0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.anf.es/AC/ANFServerCA.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.globaltrust.info0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://certificates.starfieldtech.com/repository/1604CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://acedicom.edicomgroup.com/doc0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.certplus.com/CRL/class3TS.crl0CsTapHIkAO.exe, 00000001.00000002.553832121.0000000007AD2000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://crl.anf.es/AC/ANFServerCA.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.carterandcone.comlCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.certeurope.fr/reference/pc-root2.pdf0CsTapHIkAO.exe, 00000001.00000003.310786837.0000000006BC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ac.economia.gob.mx/last.crl0GCsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-jones.htmlCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.catcert.net/verarrelCsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.disig.sk/ca0fCsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.e-szigno.hu/RootCA.crlCsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.sk.ee/juur/crl/0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://crl.chambersign.org/chambersignroot.crl0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://certs.oati.net/repository/OATICA2.crl0CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://crl.oces.trust2408.com/oces.crl0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.quovadis.bm0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://eca.hinet.net/repository0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crl.ssc.lt/root-a/cacrl.crl0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://certs.oaticerts.com/repository/OATICA2.crlCsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.trustdst.com/certificates/policy/ACES-index.html0CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://certs.oati.net/repository/OATICA2.crt0CsTapHIkAO.exe, 00000001.00000003.311686118.0000000006B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.accv.es00CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.pkioverheid.nl/policies/root-policy-G20CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.319867307.0000000007B9F000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312330521.0000000007B9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.netlock.net/docsCsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.e-trust.be/CPS/QNcertsCsTapHIkAO.exe, 00000001.00000003.311064572.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.312211064.0000000007B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://ocsp.ncdc.gov.sa0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designersGCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://fedir.comsign.co.il/crl/ComSignCA.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/?CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0CsTapHIkAO.exe, 00000001.00000003.312665362.0000000007B5B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://web.ncdc.gov.sa/crl/nrcaparta1.crlCsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.datev.de/zertifikat-policy-int0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007BA1000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmp, CsTapHIkAO.exe, 00000001.00000003.311516680.0000000007B92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cn/bTheCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers?CsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://repository.luxtrust.lu0CsTapHIkAO.exe, 00000001.00000003.311379654.0000000006B38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://cps.chambersign.org/cps/chambersroot.html0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.acabogacia.org0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://ocsp.eca.hinet.net/OCSP/ocspG2sha20CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.firmaprofesional.com/cps0CsTapHIkAO.exe, 00000001.00000003.312268892.0000000007B64000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.tiro.comCsTapHIkAO.exe, 00000000.00000002.295374704.0000000006BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.uce.gub.uy/acrn/acrn.crl0CsTapHIkAO.exe, 00000001.00000003.311829916.0000000007B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        104.237.62.211
                                                                        		api4.ipify.orgUnited States
                                                                        		18450WEBNXUSfalse
                                                                        89.43.174.45
                                                                        		mail.spjsv.roRomania
                                                                        		56430CHROOTBucharestROMANIAEUROfalse
                                                                        173.231.16.76
                                                                        		unknownUnited States
                                                                        		18450WEBNXUSfalse

                                                                        General Information

                                                                        Joe Sandbox Version:37.0.0 Beryl
                                                                        Analysis ID:830842
                                                                        Start date and time:2023-03-20 18:26:16 +01:00
                                                                        Joe Sandbox Product:CloudBasic
                                                                        Overall analysis duration:0h 10m 0s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:light
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                        Number of analysed new started processes analysed:18
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • HDC enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample file name:CsTapHIkAO.exe
                                                                        Original Sample Name:fc7ad54f4f2e785ad748d952945cc888.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.evad.winEXE@11/9@12/3
                                                                        EGA Information:
                                                                        • Successful, ratio: 100%
                                                                        HDC Information:Failed
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 0
                                                                        • Number of non-executed functions: 0
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                        • TCP Packets have been reduced to 100
                                                                        • Excluded IPs from analysis (whitelisted): 23.10.249.161, 23.10.249.147, 8.238.191.126, 8.238.88.254, 8.238.189.126, 8.238.88.248, 8.238.85.126, 209.197.3.8
                                                                        • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        18:27:19API Interceptor750x Sleep call for process: CsTapHIkAO.exe modified
                                                                        18:27:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BKEDEaL C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        18:27:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BKEDEaL C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        18:27:42API Interceptor1099x Sleep call for process: BKEDEaL.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        No context

                                                                        Domains

                                                                        No context

                                                                        ASNs

                                                                        No context

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                        Category:dropped
                                                                        Size (bytes):62582
                                                                        Entropy (8bit):7.996063107774368
                                                                        Encrypted:true
                                                                        SSDEEP:1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
                                                                        MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
                                                                        SHA1:0C110C1B01E68EDFACAEAE64781A37B1995FA94B
                                                                        SHA-256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
                                                                        SHA-512:B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k...*.Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G|.*[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):328
                                                                        Entropy (8bit):3.1335351732898324
                                                                        Encrypted:false
                                                                        SSDEEP:6:kKLFGry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:8CvkPlE99SNxAhUext
                                                                        MD5:8F9C6E370F1D7C5E4C781D6EB5CA40B6
                                                                        SHA1:F1481D2A7389EF1EA5BBABCEB9EB68E003EF0F7F
                                                                        SHA-256:8756E1D44F7190F0AC920D89A89F3A59F31E31C7AD4725C62E5806683B6B76D9
                                                                        SHA-512:E836FE0C57DF529A59CE06BB8E7797B82F587ED9C34E88FD2CC44BC81105C81BB2C5D21B8BEEABF7C05A359B7C1B088DD09BF5C4298ADB9007F1BDB755AA8424
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:p...... ..........`M.\..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BKEDEaL.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1216
                                                                        Entropy (8bit):5.355304211458859
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CsTapHIkAO.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1216
                                                                        Entropy (8bit):5.355304211458859
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                        Malicious:true
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                        C:\Users\user\AppData\Roaming\3rtvr542.vzr\Chrome\Default\Network\Cookies

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
                                                                        Category:modified
                                                                        Size (bytes):28672
                                                                        Entropy (8bit):1.4755077381471955
                                                                        Encrypted:false
                                                                        SSDEEP:96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
                                                                        MD5:DEE86123FE48584BA0CE07793E703560
                                                                        SHA1:E80D87A2E55A95BC937AC24525E51AE39D635EF7
                                                                        SHA-256:60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
                                                                        SHA-512:65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):752128
                                                                        Entropy (8bit):7.860252795159179
                                                                        Encrypted:false
                                                                        SSDEEP:12288:J5lmYMUnFW/NDMsa/S5MZJ+1ghNBtVyML3H1vY/ADhm1of1OWHBP/28dEQvYbow:J5lUVMsyS50vXV3Fvqx1vWHJ/28dh5
                                                                        MD5:FC7AD54F4F2E785AD748D952945CC888
                                                                        SHA1:890AB6267DA79E151B8C42E9F7F6A19D59A0EB4A
                                                                        SHA-256:745334EBCF459EC748D00EAF3BCB94045CEBDD6275ACA548255C1C922F0F9D9D
                                                                        SHA-512:63D3BD6456259FC7CC34086ED24C46D0B9B59A124D3431CC22C192A868E6157C130D79796EBF240FF23AEF66E6D312BBE778BFB3692A1B6ED6D087BF479C0B0B
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 31%
                                                                        • Antivirus: Virustotal, Detection: 41%, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..............0..d............... ........@.. ....................................@.................................3...O................................... n..T............................................ ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............x..............@..B................g.......H.......@V...1......"....................................................0..R..........4...%..{....{L....%.r...p.%..|....(.....%.r...p.%..{.....X...(.....(.......+..*...0..&..........{........,...{.....+....{....Z.+..*".(.....*..0..z..............}...........}......}.....(.......(......{.....s!...%.d}M...%r!..p}L...%.{....}P...%.{....}O.....{.....s!...%.d}M...%r)..p}L...%.{....}P...%.{....}O.....{.....s!...%.d}M...%r1..p}L...%.{....}P...%.{....}O......{.......+........o....&.

                                                                        C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe:Zone.Identifier

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):26
                                                                        Entropy (8bit):3.95006375643621
                                                                        Encrypted:false
                                                                        SSDEEP:3:ggPYV:rPYV
                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                        Malicious:true
                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                        C:\Users\user\AppData\Roaming\d210uggn.oho\Chrome\Default\Network\Cookies

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
                                                                        Category:dropped
                                                                        Size (bytes):28672
                                                                        Entropy (8bit):1.4755077381471955
                                                                        Encrypted:false
                                                                        SSDEEP:96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
                                                                        MD5:DEE86123FE48584BA0CE07793E703560
                                                                        SHA1:E80D87A2E55A95BC937AC24525E51AE39D635EF7
                                                                        SHA-256:60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
                                                                        SHA-512:65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\tgixmeao.ntk\Chrome\Default\Network\Cookies

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
                                                                        Category:dropped
                                                                        Size (bytes):28672
                                                                        Entropy (8bit):1.4755077381471955
                                                                        Encrypted:false
                                                                        SSDEEP:96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
                                                                        MD5:DEE86123FE48584BA0CE07793E703560
                                                                        SHA1:E80D87A2E55A95BC937AC24525E51AE39D635EF7
                                                                        SHA-256:60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
                                                                        SHA-512:65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):7.860252795159179
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        File name:CsTapHIkAO.exe
                                                                        File size:752128
                                                                        MD5:fc7ad54f4f2e785ad748d952945cc888
                                                                        SHA1:890ab6267da79e151b8c42e9f7f6a19d59a0eb4a
                                                                        SHA256:745334ebcf459ec748d00eaf3bcb94045cebdd6275aca548255c1c922f0f9d9d
                                                                        SHA512:63d3bd6456259fc7cc34086ed24c46d0b9b59a124d3431cc22c192a868e6157c130d79796ebf240ff23aef66e6d312bbe778bfb3692a1b6ed6d087bf479c0b0b
                                                                        SSDEEP:12288:J5lmYMUnFW/NDMsa/S5MZJ+1ghNBtVyML3H1vY/ADhm1of1OWHBP/28dEQvYbow:J5lUVMsyS50vXV3Fvqx1vWHJ/28dh5
                                                                        TLSH:63F402382F9B4236F53257BD85E02680677E77B36723D95D04B121CE5BB37029AD0A2B
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..............0..d............... ........@.. ....................................@................................

                                                                        File Icon

                                                                        Icon Hash:209480e66eb84902

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x4b8286
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x6417BEAA [Mon Mar 20 02:02:18 2023 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb82330x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x1110.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xbc0000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb6e200x54.text
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000xb628c0xb6400False0.9273874206961591data7.86900119148787IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0xba0000x11100x1200False0.7306857638888888data6.633755365364255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xbc0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_ICON0xba1000xa79PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                        RT_GROUP_ICON0xbab8c0x14data
                                                                        RT_VERSION0xbabb00x360data
                                                                        RT_MANIFEST0xbaf200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Network Behavior

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 20, 2023 18:27:23.942231894 CET49700443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:23.942292929 CET44349700104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:23.942411900 CET49700443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:24.007399082 CET49700443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:24.007443905 CET44349700104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:24.728410959 CET44349700104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:24.728621006 CET49700443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:24.732671022 CET49700443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:24.732700109 CET44349700104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:24.733073950 CET44349700104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:24.861732006 CET49700443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:25.112267017 CET49700443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:25.112309933 CET44349700104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:25.280256033 CET44349700104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:25.280361891 CET44349700104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:25.280431032 CET49700443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:25.281380892 CET49700443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:37.027848005 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:37.067028046 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:37.067150116 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:37.512274981 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:37.513009071 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:37.551852942 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:37.552182913 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:37.592528105 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:37.593195915 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:37.638087988 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:37.638134956 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:37.638170004 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:37.638186932 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:37.638231993 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:37.638274908 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:37.638979912 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:37.663780928 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:37.702769995 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:37.862869024 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:41.386651039 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:41.425951958 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:41.441111088 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:41.482404947 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:41.482830048 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:41.579770088 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:43.337220907 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:43.337676048 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:43.376271963 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:43.376332045 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:43.377685070 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:43.377856016 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:43.417109013 CET4970126192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:43.463438034 CET264970189.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:44.121768951 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:44.160450935 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:44.160610914 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:44.230684996 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:44.230947971 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:44.269793987 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:44.270059109 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:44.310445070 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:44.310969114 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:44.357144117 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:44.357218981 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:44.357255936 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:44.357301950 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:44.357319117 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:44.357460976 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:44.360599995 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:44.401413918 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:44.457210064 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:45.016462088 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:45.059911013 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:45.060256958 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:45.149873972 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:49.103950977 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:49.160787106 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:49.894712925 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:49.933489084 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:51.441457033 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:51.441847086 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:51.480488062 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:51.480618954 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:51.481302977 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:51.481391907 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:51.481463909 CET4970426192.168.2.389.43.174.45
                                                                        Mar 20, 2023 18:27:51.519972086 CET264970489.43.174.45192.168.2.3
                                                                        Mar 20, 2023 18:27:51.623965025 CET49705443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:51.624037027 CET44349705104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:51.624146938 CET49705443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:51.643871069 CET49705443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:51.643932104 CET44349705104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:52.333190918 CET44349705104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:52.333317995 CET49705443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:52.340928078 CET49705443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:52.340950966 CET44349705104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:52.341305017 CET44349705104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:52.546730042 CET44349705104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:52.546859026 CET49705443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:52.847053051 CET49705443192.168.2.3104.237.62.211
                                                                        Mar 20, 2023 18:27:52.847134113 CET44349705104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:53.015525103 CET44349705104.237.62.211192.168.2.3
                                                                        Mar 20, 2023 18:27:53.015774965 CET44349705104.237.62.211192.168.2.3

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 20, 2023 18:27:23.871232986 CET5892153192.168.2.38.8.8.8
                                                                        Mar 20, 2023 18:27:23.894016027 CET53589218.8.8.8192.168.2.3
                                                                        Mar 20, 2023 18:27:23.903903961 CET6270453192.168.2.38.8.8.8
                                                                        Mar 20, 2023 18:27:23.925348997 CET53627048.8.8.8192.168.2.3
                                                                        Mar 20, 2023 18:27:36.987834930 CET4997753192.168.2.38.8.8.8
                                                                        Mar 20, 2023 18:27:37.013712883 CET53499778.8.8.8192.168.2.3
                                                                        Mar 20, 2023 18:27:44.058130026 CET5238753192.168.2.38.8.8.8
                                                                        Mar 20, 2023 18:27:44.120850086 CET53523878.8.8.8192.168.2.3
                                                                        Mar 20, 2023 18:27:51.552333117 CET5692453192.168.2.38.8.8.8
                                                                        Mar 20, 2023 18:27:51.573849916 CET53569248.8.8.8192.168.2.3
                                                                        Mar 20, 2023 18:27:51.584722996 CET6062553192.168.2.38.8.8.8
                                                                        Mar 20, 2023 18:27:51.604175091 CET53606258.8.8.8192.168.2.3
                                                                        Mar 20, 2023 18:28:02.055280924 CET5397553192.168.2.38.8.8.8
                                                                        Mar 20, 2023 18:28:02.074980974 CET53539758.8.8.8192.168.2.3
                                                                        Mar 20, 2023 18:28:02.082792044 CET5113953192.168.2.38.8.8.8
                                                                        Mar 20, 2023 18:28:02.102576971 CET53511398.8.8.8192.168.2.3
                                                                        Mar 20, 2023 18:28:04.026057005 CET5295553192.168.2.38.8.8.8
                                                                        Mar 20, 2023 18:28:04.043845892 CET53529558.8.8.8192.168.2.3
                                                                        Mar 20, 2023 18:28:10.749948025 CET6058253192.168.2.38.8.8.8
                                                                        Mar 20, 2023 18:28:10.813093901 CET53605828.8.8.8192.168.2.3
                                                                        Mar 20, 2023 18:28:17.866210938 CET5713453192.168.2.38.8.8.8
                                                                        Mar 20, 2023 18:28:17.888845921 CET53571348.8.8.8192.168.2.3
                                                                        Mar 20, 2023 18:28:21.180830956 CET6205053192.168.2.38.8.8.8
                                                                        Mar 20, 2023 18:28:21.199157953 CET53620508.8.8.8192.168.2.3

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Mar 20, 2023 18:27:23.871232986 CET192.168.2.38.8.8.80x1edcStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:23.903903961 CET192.168.2.38.8.8.80xf875Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:36.987834930 CET192.168.2.38.8.8.80x9ffeStandard query (0)mail.spjsv.roA (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:44.058130026 CET192.168.2.38.8.8.80x311bStandard query (0)mail.spjsv.roA (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:51.552333117 CET192.168.2.38.8.8.80xfae1Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:51.584722996 CET192.168.2.38.8.8.80x6f39Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:02.055280924 CET192.168.2.38.8.8.80xf9fdStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:02.082792044 CET192.168.2.38.8.8.80x378aStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:04.026057005 CET192.168.2.38.8.8.80x68f6Standard query (0)mail.spjsv.roA (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:10.749948025 CET192.168.2.38.8.8.80x6279Standard query (0)mail.spjsv.roA (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:17.866210938 CET192.168.2.38.8.8.80x1001Standard query (0)mail.spjsv.roA (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:21.180830956 CET192.168.2.38.8.8.80x6fbbStandard query (0)mail.spjsv.roA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Mar 20, 2023 18:27:23.894016027 CET8.8.8.8192.168.2.30x1edcNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:23.894016027 CET8.8.8.8192.168.2.30x1edcNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:23.894016027 CET8.8.8.8192.168.2.30x1edcNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:23.894016027 CET8.8.8.8192.168.2.30x1edcNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:23.925348997 CET8.8.8.8192.168.2.30xf875No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:23.925348997 CET8.8.8.8192.168.2.30xf875No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:23.925348997 CET8.8.8.8192.168.2.30xf875No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:23.925348997 CET8.8.8.8192.168.2.30xf875No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:37.013712883 CET8.8.8.8192.168.2.30x9ffeNo error (0)mail.spjsv.ro89.43.174.45A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:44.120850086 CET8.8.8.8192.168.2.30x311bNo error (0)mail.spjsv.ro89.43.174.45A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:51.573849916 CET8.8.8.8192.168.2.30xfae1No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:51.573849916 CET8.8.8.8192.168.2.30xfae1No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:51.573849916 CET8.8.8.8192.168.2.30xfae1No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:51.573849916 CET8.8.8.8192.168.2.30xfae1No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:51.604175091 CET8.8.8.8192.168.2.30x6f39No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:51.604175091 CET8.8.8.8192.168.2.30x6f39No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:51.604175091 CET8.8.8.8192.168.2.30x6f39No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:27:51.604175091 CET8.8.8.8192.168.2.30x6f39No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:02.074980974 CET8.8.8.8192.168.2.30xf9fdNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:02.074980974 CET8.8.8.8192.168.2.30xf9fdNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:02.074980974 CET8.8.8.8192.168.2.30xf9fdNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:02.074980974 CET8.8.8.8192.168.2.30xf9fdNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:02.102576971 CET8.8.8.8192.168.2.30x378aNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:02.102576971 CET8.8.8.8192.168.2.30x378aNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:02.102576971 CET8.8.8.8192.168.2.30x378aNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:02.102576971 CET8.8.8.8192.168.2.30x378aNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:04.043845892 CET8.8.8.8192.168.2.30x68f6No error (0)mail.spjsv.ro89.43.174.45A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:10.813093901 CET8.8.8.8192.168.2.30x6279No error (0)mail.spjsv.ro89.43.174.45A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:17.888845921 CET8.8.8.8192.168.2.30x1001No error (0)mail.spjsv.ro89.43.174.45A (IP address)IN (0x0001)false
                                                                        Mar 20, 2023 18:28:21.199157953 CET8.8.8.8192.168.2.30x6fbbNo error (0)mail.spjsv.ro89.43.174.45A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • api.ipify.org

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:18:27:12
                                                                        Start date:20/03/2023
                                                                        Path:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                        Imagebase:0x650000
                                                                        File size:752128 bytes
                                                                        MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:1
                                                                        Start time:18:27:21
                                                                        Start date:20/03/2023
                                                                        Path:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\Desktop\CsTapHIkAO.exe
                                                                        Imagebase:0xd60000
                                                                        File size:752128 bytes
                                                                        MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.527846084.000000000311C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:11
                                                                        Start time:18:27:39
                                                                        Start date:20/03/2023
                                                                        Path:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe"
                                                                        Imagebase:0x110000
                                                                        File size:752128 bytes
                                                                        MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 31%, ReversingLabs
                                                                        • Detection: 41%, Virustotal, Browse
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:12
                                                                        Start time:18:27:45
                                                                        Start date:20/03/2023
                                                                        Path:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        Imagebase:0x790000
                                                                        File size:752128 bytes
                                                                        MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.529011306.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:13
                                                                        Start time:18:27:48
                                                                        Start date:20/03/2023
                                                                        Path:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe"
                                                                        Imagebase:0x9e0000
                                                                        File size:752128 bytes
                                                                        MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:14
                                                                        Start time:18:27:58
                                                                        Start date:20/03/2023
                                                                        Path:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        Imagebase:0x7ff651c80000
                                                                        File size:752128 bytes
                                                                        MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:15
                                                                        Start time:18:27:58
                                                                        Start date:20/03/2023
                                                                        Path:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\AppData\Roaming\BKEDEaL\BKEDEaL.exe
                                                                        Imagebase:0x960000
                                                                        File size:752128 bytes
                                                                        MD5 hash:FC7AD54F4F2E785AD748D952945CC888
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.527812814.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Disassembly

                                                                        No disassembly