Windows Analysis Report
Payment Challan.exe

Overview

General Information

Sample name: Payment Challan.exe
Analysis ID: 1468050
MD5: 00801754bd615e4dd9e636a29823204a
SHA1: 3a4bea7747a8fbff333c51628e39e29bbbe34872
SHA256: d10c34c796a14ad8a34aebb5311378dabcb15f14da5c1fdeb7cc1f1d7b499162
Infos:

Detection

Kutaki
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Kutaki Keylogger
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Kutaki Cofense characterizes Kutaki as a data stealer that uses old-school techniques to detect sandboxes and debugging. Kutaki however works quite well against unhardened virtual machines and other analysis devices. By backdooring a legitimate application, it can fool unsophisticated detection methodologies. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Payment Challan.exe Avira: detected
Antivirus detection for URL or domain
Source: http://newlinkwotolove.club/love/three.php Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: Payment Challan.exe Malware Configuration Extractor: Kutaki {"C2 url": ["http://newlinkwotolove.club/love/three.php"]}
Multi AV Scanner detection for domain / URL
Source: http://newlinkwotolove.club/love/three.php Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Virustotal: Detection: 40% Perma Link
Multi AV Scanner detection for submitted file
Source: Payment Challan.exe ReversingLabs: Detection: 52%
Source: Payment Challan.exe Virustotal: Detection: 40% Perma Link
Uses 32bit PE files
Source: Payment Challan.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://newlinkwotolove.club/love/three.php
Source: Payment Challan.exe, 00000000.00000003.2148428882.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2145877919.0000000000938000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http:///.)
Source: Payment Challan.exe, 00000000.00000003.2156142551.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2183683196.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2145988187.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189422479.0000000000915000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http:///.h
Source: bkkmpxfk.exe, 00000009.00000002.3387810374.0000000004351000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http:///.u-
Source: Payment Challan.exe, 00000000.00000003.2148428882.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2167640238.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2145877919.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189580389.0000000000938000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http:///V.qK
Source: Payment Challan.exe, 00000000.00000003.2188079003.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2156142551.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2148428882.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2167640238.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189144089.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2145877919.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189580389.0000000000938000.00000004.00000020.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000002.3381248941.000000000084D000.00000004.00000020.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2173722958.000000000084F000.00000004.00000020.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2175989886.000000000084D000.00000004.00000020.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2175525819.000000000084D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http:///ordiagoff.htmf.htm
Source: bkkmpxfk.exe, 00000009.00000002.3381248941.00000000007F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http:///ordiagoff.htmf.htmy
Source: Payment Challan.exe, 00000000.00000003.2177028191.0000000004B87000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000002.3390569438.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2189037882.0000000004B97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http:///res://ieframe.dll/dnserrordiagoff.htm#http:///
Source: bkkmpxfk.exe, 00000009.00000002.3390569438.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2189037882.0000000004B97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http:///res://ieframe.dll/dnserrordiagoff.htm#http:///$u
Source: bkkmpxfk.exe, 00000009.00000002.3390569438.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2189037882.0000000004B97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http:///res://ieframe.dll/dnserrordiagoff.htm#http:///Dv
Source: bkkmpxfk.exe, 00000009.00000002.3390569438.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2189037882.0000000004B97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http:///res://ieframe.dll/dnserrordiagoff.htm#http:///dw
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Kutaki Keylogger
Source: Yara match File source: Payment Challan.exe, type: SAMPLE
Source: Yara match File source: 0.2.Payment Challan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Payment Challan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bkkmpxfk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.bkkmpxfk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bkkmpxfk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.bkkmpxfk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Challan.exe PID: 3476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bkkmpxfk.exe PID: 1824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bkkmpxfk.exe PID: 7400, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe, type: DROPPED

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment Challan.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment Challan.exe Code function: 0_2_00405494 0_2_00405494
Source: C:\Users\user\Desktop\Payment Challan.exe Code function: 0_2_004E61ED 0_2_004E61ED
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Payment Challan.exe Code function: String function: 00404FE2 appears 38 times
Source: C:\Users\user\Desktop\Payment Challan.exe Code function: String function: 00405042 appears 81 times
Sample file is different than original file name gathered from version info
Source: Payment Challan.exe, 00000000.00000003.2155835952.000000000435C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCashier Module.exe2342342342342342342340 vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000002.2190947516.000000000434A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2183421304.000000000434A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2183726823.000000000434A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2182627234.000000000434A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2185476524.000000000434A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2157214813.000000000434A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2148881332.000000000434A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2184289439.000000000434A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe Binary or memory string: OriginalFilenameCashier Module.exe2342342342342342342340 vs Payment Challan.exe
Uses 32bit PE files
Source: Payment Challan.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Payment Challan.exe Binary or memory string: S*\AC:\NEW LINK\NEW LINK UPDATE\120-CSC182\Cashier Platform.vbp
Source: bkkmpxfk.exe, 00000009.00000002.3380725774.0000000000538000.00000004.00000001.01000000.0000000F.sdmp Binary or memory string: x~A*\AC:\NEW LINK\NEW LINK UPDATE\120-CSC182\Cashier Platform.vbp HmB
Source: Payment Challan.exe, 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280971205.0000000000538000.00000004.00000001.01000000.0000000F.sdmp Binary or memory string: Hmx~A*\AC:\NEW LINK\NEW LINK UPDATE\120-CSC182\Cashier Platform.vbp Hm
Source: Payment Challan.exe, bkkmpxfk.exe.0.dr Binary or memory string: S*\AC:\NEW LINK\NEW LINK UPDATE\120-CSC182\Cashier Platform.vbpj@*
Source: classification engine Classification label: mal100.troj.adwa.spyw.winEXE@8/14@0/0
Source: C:\Users\user\Desktop\Payment Challan.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\dnserrordiagoff[1] Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_03
Source: C:\Users\user\Desktop\Payment Challan.exe File created: C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmp Jump to behavior
Source: Payment Challan.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\SysWOW64\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Payment Challan.exe, 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Payment Challan.exe, 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe.0.dr Binary or memory string: SELECT tblYearLevel.YearLevelTitle as lvKey, tblYearLevel.YearLevelTitle FROM tblYearLevel;4Please Select in the list.zLength of Base64 encoded input string is not a multiple of 4.RIllegal character in Base64 encoded data.
Source: Payment Challan.exe Binary or memory string: SELECT tblYearLevel.YearLevelTitle as lvKey, tblYearLevel.YearLevelTitle FROM tblYearLevel;
Source: Payment Challan.exe, 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Payment Challan.exe, 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe.0.dr Binary or memory string: SELECT 'D-' & String$(2-Len(Count(*)+1),'0') & Count(*)+1 AS NewID( FROM tblDepartment;
Source: Payment Challan.exe, 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Payment Challan.exe, 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe.0.dr Binary or memory string: SELECT Count(*) AS SubjectCount, tblSubject.DepartmentID, tblSubject.YearLevelID From tblSubjectr GROUP BY tblSubject.DepartmentID, tblSubject.YearLevelIDJ HAVING (((tblSubject.DepartmentID)='B') AND ((tblSubject.YearLevelID)=L Where (((tblSubject.DepartmentID) = 'F') And ((tblSubject.YearLevelID) = > GROUP BY tblSubject.SubjectID;
Source: Payment Challan.exe, 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Payment Challan.exe, 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe.0.dr Binary or memory string: SELECT CStr(Year(Now()))+'-'+Left('00000000',7-Len(CStr(Max(Val(Right([tblStudent]![StudentID],7)))+1)))+CStr(Max(Val(Right([tblStudent]![StudentID],7)))+1) AS maxId FROM tblStudent;
Source: Payment Challan.exe, 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Payment Challan.exe, 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe.0.dr Binary or memory string: SELECT 'SUB-' & String$(6-Len(Count(*)+1),'0') & Count(*)+1 AS NewID" FROM tblSubject;
Source: Payment Challan.exe, 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Payment Challan.exe, 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe.0.dr Binary or memory string: SELECT 'SEC-' & String$(6-Len(Count(*)+1),'0') & Count(*)+1 AS NewID" FROM tblSection;
Source: Payment Challan.exe ReversingLabs: Detection: 52%
Source: Payment Challan.exe Virustotal: Detection: 40%
Source: C:\Users\user\Desktop\Payment Challan.exe File read: C:\Users\user\Desktop\Payment Challan.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment Challan.exe "C:\Users\user\Desktop\Payment Challan.exe"
Source: C:\Users\user\Desktop\Payment Challan.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmp
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Challan.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe"
Source: C:\Users\user\Desktop\Payment Challan.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmp Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: twinui.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Payment Challan.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Payment Challan.exe Static file information: File size 1553618 > 1048576
Source: Payment Challan.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x137000
PE file contains an invalid checksum
Source: bkkmpxfk.exe.0.dr Static PE information: real checksum: 0x17e44e should be: 0x17f692
Source: Payment Challan.exe Static PE information: real checksum: 0x17e44e should be: 0x17f692
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment Challan.exe Code function: 0_2_00402634 push esp; iretd 0_2_00402635
Drops PE files
Source: C:\Users\user\Desktop\Payment Challan.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the startup folder
Source: C:\Users\user\Desktop\Payment Challan.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\Payment Challan.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\Payment Challan.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Payment Challan.exe Memory allocated: 3AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Memory allocated: 3A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Memory allocated: 48A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Memory allocated: 4A20000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Memory allocated: 4B60000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Memory allocated: 4BA0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Memory allocated: 3B00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Memory allocated: 3AD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Memory allocated: 48B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Memory allocated: 4A30000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Memory allocated: 4B70000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Memory allocated: 4BB0000 memory commit | memory reserve | memory write watch Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Payment Challan.exe API coverage: 3.6 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Payment Challan.exe, 00000000.00000003.2186068860.00000000008EA000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2156142551.00000000008EA000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189348191.00000000008EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: bkkmpxfk.exe, 00000009.00000002.3381248941.00000000007E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Payment Challan.exe Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1468050 Sample: Payment Challan.exe Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 20 Multi AV Scanner detection for domain / URL 2->20 22 Found malware configuration 2->22 24 Antivirus detection for URL or domain 2->24 26 8 other signatures 2->26 7 Payment Challan.exe 2 32 2->7         started        10 bkkmpxfk.exe 12 2->10         started        process3 file4 18 C:\Users\user\AppData\...\bkkmpxfk.exe, PE32 7->18 dropped 12 cmd.exe 2 7->12         started        14 bkkmpxfk.exe 4 29 7->14         started        process5 process6 16 conhost.exe 12->16         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://newlinkwotolove.club/love/three.php true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown