Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Analysis Report KX Trainer V2.exe

Overview

General Information

Sample Name:KX Trainer V2.exe
Analysis ID:333458
MD5:9db4648c520d1cd911aed6e624b8c73e
SHA1:aed00c67e0791f34b3ee9daf908d009fac22379b
SHA256:14e3f68a51dd79eab19582804123af477203e8551d20c3c18c93dab184987c1e

Most interesting Screenshot:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Hides threads from debuggers
PE file contains section with special chars
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Startup

  • System is w10x64
  • KX Trainer V2.exe (PID: 4808 cmdline: 'C:\Users\user\Desktop\KX Trainer V2.exe' MD5: 9DB4648C520D1CD911AED6E624B8C73E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownDNS traffic detected: queries for: krixx.xyz
Source: KX Trainer V2.exe, 00000000.00000002.596754194.000001C6D8AAE000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: KX Trainer V2.exe, 00000000.00000002.596754194.000001C6D8AAE000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0#
Source: KX Trainer V2.exe, 00000000.00000002.596754194.000001C6D8AAE000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: KX Trainer V2.exe, 00000000.00000002.596754194.000001C6D8AAE000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: KX Trainer V2.exe, 00000000.00000002.596754194.000001C6D8AAE000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: KX Trainer V2.exe, 00000000.00000002.596754194.000001C6D8AAE000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: KX Trainer V2.exeString found in binary or memory: http://james.newtonking.com/projects/json
Source: KX Trainer V2.exe, 00000000.00000002.596754194.000001C6D8AAE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: http://s2.symcb.com0
Source: KX Trainer V2.exe, 00000000.00000002.592456278.000001C6BEA41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: http://sv.symcd.com0&
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmp, KX Trainer V2.exe, 00000000.00000003.221379650.000001C6D71D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: KX Trainer V2.exe, 00000000.00000003.221379650.000001C6D71D1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: KX Trainer V2.exe, 00000000.00000003.222683440.000001C6D71D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0.
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: KX Trainer V2.exe, 00000000.00000002.593899785.000001C6D71C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmp, KX Trainer V2.exe, 00000000.00000003.216837611.000001C6D71DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: KX Trainer V2.exe, 00000000.00000003.216837611.000001C6D71DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com_$
Source: KX Trainer V2.exe, 00000000.00000003.216982103.000001C6D71C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comoftv=
Source: KX Trainer V2.exe, 00000000.00000003.216837611.000001C6D71DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comvoi
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: http://www.symauth.com/cps0(
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: http://www.symauth.com/rpa00
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: KX Trainer V2.exe, 00000000.00000003.217485422.000001C6D71C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: KX Trainer V2.exe, 00000000.00000003.223263028.000001C6D71F8000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: https://d.symcb.com/cps0%
Source: AgileDotNetRT64.dll.0.drString found in binary or memory: https://d.symcb.com/rpa0
Source: KX Trainer V2.exe, 00000000.00000002.592456278.000001C6BEA41000.00000004.00000001.sdmpString found in binary or memory: https://krixx.xyz/api/kx/
Source: KX Trainer V2.exe, 00000000.00000002.592456278.000001C6BEA41000.00000004.00000001.sdmpString found in binary or memory: https://krixx.xyz/api/kx/version/paid.json
Source: KX Trainer V2.exe, 00000000.00000002.592456278.000001C6BEA41000.00000004.00000001.sdmpString found in binary or memory: https://krixx.xyzateCp
Source: KX Trainer V2.exeString found in binary or memory: https://nas.llc
Source: KX Trainer V2.exeString found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: KX Trainer V2.exeString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729

System Summary:

barindex
PE file contains section with special chars
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name:
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name:
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name:
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name:
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name:
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name:
Source: AgileDotNetRT64.dll.0.drStatic PE information: Number of sections : 13 > 10
Source: KX Trainer V2.exe, 00000000.00000002.594991504.000001C6D7650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs KX Trainer V2.exe
Source: KX Trainer V2.exe, 00000000.00000002.592062977.000001C6BE810000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs KX Trainer V2.exe
Source: KX Trainer V2.exe, 00000000.00000002.592135401.000001C6BE870000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs KX Trainer V2.exe
Source: KX Trainer V2.exe, 00000000.00000003.214446257.000001C6BCE80000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs KX Trainer V2.exe
Source: KX Trainer V2.exe, 00000000.00000002.589893686.000001C6BCBEB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs KX Trainer V2.exe
Source: KX Trainer V2.exeBinary or memory string: OriginalFilenameGW2_KX_CSHARP.exe< vs KX Trainer V2.exe
Source: AgileDotNetRT64.dll.0.drStatic PE information: Section: ZLIB complexity 1.00070658894
Source: AgileDotNetRT64.dll.0.drStatic PE information: Section: ZLIB complexity 1.0060076461
Source: AgileDotNetRT64.dll.0.drStatic PE information: Section: ZLIB complexity 1.2972972973
Source: AgileDotNetRT64.dll.0.drStatic PE information: Section: ZLIB complexity 0.99768115942
Source: AgileDotNetRT64.dll.0.drStatic PE information: Section: ZLIB complexity 1.02244897959
Source: AgileDotNetRT64.dll.0.drStatic PE information: Section: ZLIB complexity 1.44
Source: AgileDotNetRT64.dll.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
Source: KX Trainer V2.exe, Newtonsoft.Json/Linq/JRaw.csTask registration methods: 'CreateAsync'
Source: classification engineClassification label: mal64.evad.winEXE@1/1@2/1
Source: C:\Users\user\Desktop\KX Trainer V2.exeFile created: C:\Users\user\AppData\Local\Temp\e2dc8871-2a55-499b-ab2d-7a39de684617Jump to behavior
Source: KX Trainer V2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\KX Trainer V2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeFile read: C:\Users\user\Desktop\KX Trainer V2.exe:Zone.IdentifierJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: KX Trainer V2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: KX Trainer V2.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: KX Trainer V2.exeStatic file information: File size 7560192 > 1048576
Source: KX Trainer V2.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x723c00
Source: KX Trainer V2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: clrjit.pdb source: KX Trainer V2.exe, 00000000.00000002.594031438.000001C6D72C0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: initial sampleStatic PE information: 0xE66D9ADF [Thu Jul 3 16:59:11 2092 UTC]
Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name:
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name:
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name:
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name:
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name:
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name:
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name: .exports
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name: .imports
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name: .themida
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name: .loadcon
Source: AgileDotNetRT64.dll.0.drStatic PE information: section name: .boot
Source: initial sampleStatic PE information: section name: entropy: 7.97791699565
Source: C:\Users\user\Desktop\KX Trainer V2.exeFile created: C:\Users\user\AppData\Local\Temp\e2dc8871-2a55-499b-ab2d-7a39de684617\AgileDotNetRT64.dllJump to dropped file
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\KX Trainer V2.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\KX Trainer V2.exeRDTSC instruction interceptor: First address: 00007FFB4871202F second address: 00007FFB487120B0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov dword ptr [esp+28h], eax 0x0000000e dec eax 0x0000000f mov eax, dword ptr [esp+30h] 0x00000013 dec eax 0x00000014 mov ecx, dword ptr [esp+28h] 0x00000018 dec eax 0x00000019 sub ecx, eax 0x0000001b dec eax 0x0000001c mov eax, ecx 0x0000001e dec eax 0x0000001f add esp, 48h 0x00000022 ret 0x00000023 dec eax 0x00000024 mov dword ptr [00011206h], eax 0x0000002a mov dword ptr [esp+28h], 00000000h 0x00000032 jmp 00007F26D83BB51Ch 0x00000034 mov eax, dword ptr [esp+50h] 0x00000038 cmp dword ptr [esp+28h], eax 0x0000003c jnl 00007F26D83BB554h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\KX Trainer V2.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeWindow / User API: threadDelayed 1355Jump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeWindow / User API: threadDelayed 361Jump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeWindow / User API: threadDelayed 800Jump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exe TID: 2592Thread sleep time: -135500s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exe TID: 5456Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exe TID: 5456Thread sleep time: -100000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exe TID: 5456Thread sleep time: -99844s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exe TID: 5456Thread sleep time: -99703s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exe TID: 5456Thread sleep time: -99594s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exe TID: 5456Thread sleep time: -99453s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exe TID: 5456Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeLast function: Thread delayed
Source: KX Trainer V2.exe, 00000000.00000002.596708179.000001C6D8A90000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\KX Trainer V2.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: KX Trainer V2.exe, Gma.System.MouseKeyHook/WinApi/KeyboardNativeMethods.csReference to suspicious API methods: ('MapVirtualKeyEx', 'MapVirtualKeyEx@user32.dll')
Source: KX Trainer V2.exe, u003cAgileDotNetRTu003e.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibraryA', 'LoadLibraryA@kernel32.dll')
Source: KX Trainer V2.exe, Memory/Mem.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll'), ('OpenProcess', 'OpenProcess@kernel32.dll'), ('CreateRemoteThread', 'CreateRemoteThread@kernel32')
Source: KX Trainer V2.exe, GW2_KX_CSHARP/MemTools.csReference to suspicious API methods: ('VirtualProtectEx', 'VirtualProtectEx@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
Source: KX Trainer V2.exe, 00000000.00000002.591916902.000001C6BD2D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: KX Trainer V2.exe, 00000000.00000002.591916902.000001C6BD2D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: KX Trainer V2.exe, 00000000.00000002.591916902.000001C6BD2D0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: KX Trainer V2.exe, 00000000.00000002.591916902.000001C6BD2D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Users\user\Desktop\KX Trainer V2.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KX Trainer V2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection1Virtualization/Sandbox Evasion14OS Credential DumpingSecurity Software Discovery321Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion14Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 333458 Sample: KX Trainer V2.exe Startdate: 22/12/2020 Architecture: WINDOWS Score: 64 13 cdn.onenote.net 2->13 17 .NET source code references suspicious native API functions 2->17 19 PE file contains section with special chars 2->19 21 Binary contains a suspicious time stamp 2->21 23 Tries to detect virtualization through RDTSC time measurements 2->23 6 KX Trainer V2.exe 14 4 2->6         started        signatures3 process4 dnsIp5 15 krixx.xyz 194.5.156.24, 443, 49729 AS-HOSTINGERLT Germany 6->15 11 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 6->11 dropped 25 Hides threads from debuggers 6->25 27 Tries to detect sandboxes / dynamic malware analysis system (registry check) 6->27 file6 signatures7

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
KX Trainer V2.exe4%VirustotalBrowse
KX Trainer V2.exe2%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\e2dc8871-2a55-499b-ab2d-7a39de684617\AgileDotNetRT64.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\e2dc8871-2a55-499b-ab2d-7a39de684617\AgileDotNetRT64.dll2%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
krixx.xyz0%VirustotalBrowse
cdn.onenote.net0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.sajatypeworks.comvoi0%Avira URL Cloudsafe
https://nas.llc0%Avira URL Cloudsafe
http://www.sajatypeworks.com_$0%Avira URL Cloudsafe
https://krixx.xyz/api/kx/version/paid.json0%Avira URL Cloudsafe
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://www.typography.net0%URL Reputationsafe
http://www.typography.net0%URL Reputationsafe
http://www.typography.net0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.urwpp.de0%URL Reputationsafe
http://www.urwpp.de0%URL Reputationsafe
http://www.urwpp.de0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
https://krixx.xyzateCp0%Avira URL Cloudsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
http://james.newtonking.com/projects/json0%URL Reputationsafe
http://james.newtonking.com/projects/json0%URL Reputationsafe
http://james.newtonking.com/projects/json0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
https://krixx.xyz/api/kx/0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.sajatypeworks.comoftv=0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
krixx.xyz
194.5.156.24
truefalseunknown
cdn.onenote.net
unknown
unknownfalseunknown
NameSourceMaliciousAntivirus DetectionReputation
http://www.fontbureau.com/designersGKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
    		high
    http://www.fontbureau.com/designers/?KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
      		high
      http://www.founder.com.cn/cn/bTheKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://www.sajatypeworks.comvoiKX Trainer V2.exe, 00000000.00000003.216837611.000001C6D71DB000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://nas.llcKX Trainer V2.exefalse
      • Avira URL Cloud: safe
      		unknown
      http://www.fontbureau.com/designers?KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
        		high
        http://www.sajatypeworks.com_$KX Trainer V2.exe, 00000000.00000003.216837611.000001C6D71DB000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		low
        https://krixx.xyz/api/kx/version/paid.jsonKX Trainer V2.exe, 00000000.00000002.592456278.000001C6BEA41000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.tiro.comKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com/designersKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmp, KX Trainer V2.exe, 00000000.00000003.221379650.000001C6D71D1000.00000004.00000001.sdmpfalse
          		high
          http://www.fontbureau.com/designers0.KX Trainer V2.exe, 00000000.00000003.222683440.000001C6D71D2000.00000004.00000001.sdmpfalse
            		high
            http://www.goodfont.co.krKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.sajatypeworks.comKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmp, KX Trainer V2.exe, 00000000.00000003.216837611.000001C6D71DB000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.typography.netDKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cn/cTheKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.galapagosdesign.com/staff/dennis.htmKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://fontfabrik.comKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://crl.thawte.com/ThawteTimestampingCA.crl0AgileDotNetRT64.dll.0.drfalse
              		high
              http://www.typography.netKX Trainer V2.exe, 00000000.00000003.217485422.000001C6D71C2000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designerseKX Trainer V2.exe, 00000000.00000002.593899785.000001C6D71C0000.00000004.00000001.sdmpfalse
                		high
                http://www.galapagosdesign.com/DPleaseKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fonts.comKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                  		high
                  http://www.sandoll.co.krKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.urwpp.deDPleaseKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.urwpp.deKX Trainer V2.exe, 00000000.00000003.223263028.000001C6D71F8000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.zhongyicts.com.cnKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameKX Trainer V2.exe, 00000000.00000002.592456278.000001C6BEA41000.00000004.00000001.sdmpfalse
                    		high
                    http://www.sakkal.comKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://cps.root-x1.letsencrypt.org0KX Trainer V2.exe, 00000000.00000002.596754194.000001C6D8AAE000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                        		high
                        http://cps.letsencrypt.org0KX Trainer V2.exe, 00000000.00000002.596754194.000001C6D8AAE000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://krixx.xyzateCpKX Trainer V2.exe, 00000000.00000002.592456278.000001C6BEA41000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cert.int-x3.letsencrypt.org/0#KX Trainer V2.exe, 00000000.00000002.596754194.000001C6D8AAE000.00000004.00000001.sdmpfalse
                          		high
                          http://ocsp.thawte.com0AgileDotNetRT64.dll.0.drfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://ocsp.int-x3.letsencrypt.org0/KX Trainer V2.exe, 00000000.00000002.596754194.000001C6D8AAE000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.symauth.com/cps0(AgileDotNetRT64.dll.0.drfalse
                            		high
                            http://james.newtonking.com/projects/jsonKX Trainer V2.exefalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlKX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                                		high
                                https://krixx.xyz/api/kx/KX Trainer V2.exe, 00000000.00000002.592456278.000001C6BEA41000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.symauth.com/rpa00AgileDotNetRT64.dll.0.drfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.newtonsoft.com/jsonschemaKX Trainer V2.exefalse
                                    		high
                                    http://www.sajatypeworks.comoftv=KX Trainer V2.exe, 00000000.00000003.216982103.000001C6D71C2000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.fontbureau.com/designers8KX Trainer V2.exe, 00000000.00000002.595142621.000001C6D7690000.00000002.00000001.sdmpfalse
                                      		high
                                      https://www.nuget.org/packages/Newtonsoft.Json.BsonKX Trainer V2.exefalse
                                        		high
                                        http://www.fontbureau.com/designers/KX Trainer V2.exe, 00000000.00000003.221379650.000001C6D71D1000.00000004.00000001.sdmpfalse
                                          		high

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          194.5.156.24
                                          		unknownGermany
                                          		47583AS-HOSTINGERLTfalse

                                          General Information

                                          Joe Sandbox Version:31.0.0 Red Diamond
                                          Analysis ID:333458
                                          Start date:22.12.2020
                                          Start time:21:50:10
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 7m 14s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:KX Trainer V2.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:29
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal64.evad.winEXE@1/1@2/1
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 4.9% (good quality ratio 4.1%)
                                          • Quality average: 66%
                                          • Quality standard deviation: 29.7%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 104.42.151.234, 52.147.198.201, 51.104.139.180, 23.210.248.85, 92.122.213.194, 92.122.213.247, 20.54.26.129, 8.253.95.120, 67.27.157.254, 8.248.147.254, 67.27.158.126, 67.27.234.126, 51.103.5.186, 51.11.168.160, 2.17.179.193, 84.53.167.113, 52.155.217.156
                                          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, e15275.g.akamaiedge.net, arc.msn.com, cdn.onenote.net.edgekey.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, wildcard.weather.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, skypedataprdcolwus16.cloudapp.net
                                          • Execution Graph export aborted for target KX Trainer V2.exe, PID 4808 because there are no executed function
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          TimeTypeDescription
                                          21:51:11API Interceptor5x Sleep call for process: KX Trainer V2.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          AS-HOSTINGERLThttps://j.mp/3h2fG2ZGet hashmaliciousBrowse
                                          • 156.67.222.153
                                          JgHsz8Vvc8.exeGet hashmaliciousBrowse
                                          • 213.190.6.55
                                          PO.docGet hashmaliciousBrowse
                                          • 213.190.6.55
                                          Proforma Invoice.docGet hashmaliciousBrowse
                                          • 213.190.6.55
                                          hUWiJym6fy.exeGet hashmaliciousBrowse
                                          • 31.170.161.37
                                          YT0nfh456s.exeGet hashmaliciousBrowse
                                          • 2.57.90.16
                                          KYC - 17DEC.xlsxGet hashmaliciousBrowse
                                          • 31.220.110.116
                                          PByYRsoSNX.exeGet hashmaliciousBrowse
                                          • 2.57.90.16
                                          BsR85tOyjL.exeGet hashmaliciousBrowse
                                          • 46.17.175.180
                                          XrpfRIQLYI.docGet hashmaliciousBrowse
                                          • 156.67.222.204
                                          https://uc7b53be34470077fa5a225e12df.dl.dropboxusercontent.com/cd/0/get/BFOurBML9LTrYESsgZVnt-7s_XcT1zeXR_UKUe727s4pkHr9HASCTbLCGqW4UetiP2mCY9lexFN5bUjD5CxShlCu3wHWVLxNCOSCmgAvE_LtIaQIjaEAJPiqPF2MmSeHZlw/file?dl=1Get hashmaliciousBrowse
                                          • 156.67.222.204
                                          Copy_NE585IS.docGet hashmaliciousBrowse
                                          • 156.67.222.204
                                          Copy_NE585IS.docGet hashmaliciousBrowse
                                          • 156.67.222.204
                                          Copy_NE585IS.docGet hashmaliciousBrowse
                                          • 156.67.222.204
                                          F9FX9EoKDL.exeGet hashmaliciousBrowse
                                          • 31.220.110.116
                                          NEW ORDER 15DEC.xlsxGet hashmaliciousBrowse
                                          • 31.220.110.116
                                          athwIp3L1t.exeGet hashmaliciousBrowse
                                          • 46.17.175.180
                                          iUUJykFNh2.docGet hashmaliciousBrowse
                                          • 185.210.145.17
                                          iUUJykFNh2.docGet hashmaliciousBrowse
                                          • 185.210.145.17
                                          iUUJykFNh2.docGet hashmaliciousBrowse
                                          • 185.210.145.17

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          3b5074b1b5d032e5620f69f9f700ff0ehttps://dj.4zido.de/i/612BRNn/Get hashmaliciousBrowse
                                          • 194.5.156.24
                                          http://gluonpharma.com/fonts/W/Get hashmaliciousBrowse
                                          • 194.5.156.24
                                          X38U6JbAKL.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          PO-A2031150 AVI41916.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          7vOBf2SPwn.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          iEchB4J2pv.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          https://podcasterz.hu/softaculous/RjcHrladaah1w/Get hashmaliciousBrowse
                                          • 194.5.156.24
                                          https://caminhodosveadeiros.com.br/h/Ld51n5yo2sVpA9ix2ZHZLqX7/Get hashmaliciousBrowse
                                          • 194.5.156.24
                                          DHL EXPRESS doc.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          7TwZx5dbbZ.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          5cHIX9Sf17.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          2vR3N8BqTU.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          pHsmU6KRZV.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          PAYO9080089.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          suk1MHq6DK.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          uQQ6orCz0I.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          Payment Slip.pdf.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          https://upinsmokebatonrouge.com/var/kZKk4S0XnGUwc0OKsia1/Get hashmaliciousBrowse
                                          • 194.5.156.24
                                          46f0577f-630d-4d6e-a63a-8757c967f3f8.exeGet hashmaliciousBrowse
                                          • 194.5.156.24
                                          SHIPPING INVOICE.pdf.exeGet hashmaliciousBrowse
                                          • 194.5.156.24

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\e2dc8871-2a55-499b-ab2d-7a39de684617\AgileDotNetRT64.dll
                                          Process:C:\Users\user\Desktop\KX Trainer V2.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):3223976
                                          Entropy (8bit):7.960889817927068
                                          Encrypted:false
                                          SSDEEP:98304:Z9uDqOHJfCBCxvqxT6u8PgLonwxCqwJ4/V0Z:Z94HJaBCx2ePPYbwI6
                                          MD5:4D8082B3DE02F82DB9A515E9DAB5D2B6
                                          SHA1:057A20ADE70244601D0FE50F7011C95BAE335EA5
                                          SHA-256:936B1537B6EFCECE032C05661238B06BEEFC61FF76E82B7C5D9FE558A9360A4C
                                          SHA-512:7B9153E9948E0F911FCB0B145678A56CAC4ABD948FA99E07C331760F02DCE096CF3BE7D2D8493CF7A76460C7172E24EAA45C1283A28353501B2876C54752C60D
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                          • Antivirus: ReversingLabs, Detection: 2%
                                          Reputation:low
                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..4..zg..zg..zg.w.g..zgv..g..zg...g..zg..{gM.zgv..g..zg...g..zg...g..zg...g..zg...g..zg...g..zgRich..zg........................PE..d...'..\.........." .........2......X.V...............................................1...@..........................................p..s...................h.U.......1......................................................................"..`................... ........tX.................. ..` ........'....`..............@..@ X....0..%....h..............@... X....@.......j..............@..@ .....P.......r..............@..@ $....`.......t..............@..B.exports.....p.......v..............@..@.imports.............x..............@....rsrc................z..............@..@.themida.`T..........~..............`....loadcon......V......~..............@..@.boot.....0...V...0.................`..`

                                          Static File Info

                                          General

                                          File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.843509762978309
                                          TrID:
                                          • Win64 Executable GUI Net Framework (211506/5) 46.89%
                                          • Win64 Executable GUI (202006/5) 44.79%
                                          • Win64 Executable (generic) (21505/4) 4.77%
                                          • Win64 Executable (generic) (12005/4) 2.66%
                                          • Generic Win/DOS Executable (2004/3) 0.44%
                                          File name:KX Trainer V2.exe
                                          File size:7560192
                                          MD5:9db4648c520d1cd911aed6e624b8c73e
                                          SHA1:aed00c67e0791f34b3ee9daf908d009fac22379b
                                          SHA256:14e3f68a51dd79eab19582804123af477203e8551d20c3c18c93dab184987c1e
                                          SHA512:e714fb811310aaa0d9f32dfc0c31ad64e32225b5152d29edd8b00ccef5bbf3169d1c6dd7e5f89c3299c9a9db40710cdebf489b27a73574b284ad366b72f3575e
                                          SSDEEP:196608:S49GV8ld98BlON2jnbNswvBXvowJgzl7GSZn7ftm:FX90jVvBXvoww77rc
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....m..........."......<r..Xs......Zr.. ....@...... ........................s...........`................................

                                          File Icon

                                          Icon Hash:b231f8f0f0f8e871

                                          Static PE Info

                                          General

                                          Entrypoint:0xb25abe
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                          Time Stamp:0xE66D9ADF [Thu Jul 3 16:59:11 2092 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x725a500x57.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x7260000x11ae4.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7380000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x10.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20100x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x723ad00x723c00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x7260000x11ae40x11c00False0.213729643486data3.94727051102IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x7380000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x7261300x10828dBase III DBT, version number 0, next free block index 40
                                          RT_GROUP_ICON0x7369580x14data
                                          RT_VERSION0x73696c0x388data
                                          RT_MANIFEST0x736cf40xdeeXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators
                                          DLLImport
                                          mscoree.dll_CorExeMain
                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2020 Krixx.xyz
                                          Assembly Version2.0.0.0
                                          InternalNameGW2_KX_CSHARP.exe
                                          FileVersion2.0.0.0
                                          CompanyNameKrixx.xyz
                                          LegalTrademarks
                                          CommentsGuild Wars 2 Trainer
                                          ProductNameKX Trainer V2
                                          ProductVersion2.0.0.0
                                          FileDescriptionKX Trainer V2
                                          OriginalFilenameGW2_KX_CSHARP.exe

                                          Network Behavior

                                          Download Network PCAP: filteredfull

                                          Network Port Distribution

                                          • Total Packets: 47
                                          • 443 (HTTPS)
                                          • 53 (DNS)
                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 22, 2020 21:51:11.698791981 CET49729443192.168.2.3194.5.156.24
                                          Dec 22, 2020 21:51:11.724833012 CET44349729194.5.156.24192.168.2.3
                                          Dec 22, 2020 21:51:11.725040913 CET49729443192.168.2.3194.5.156.24
                                          Dec 22, 2020 21:51:11.758815050 CET49729443192.168.2.3194.5.156.24
                                          Dec 22, 2020 21:51:11.782689095 CET44349729194.5.156.24192.168.2.3
                                          Dec 22, 2020 21:51:11.789231062 CET44349729194.5.156.24192.168.2.3
                                          Dec 22, 2020 21:51:11.789287090 CET44349729194.5.156.24192.168.2.3
                                          Dec 22, 2020 21:51:11.789319038 CET44349729194.5.156.24192.168.2.3
                                          Dec 22, 2020 21:51:11.789458036 CET49729443192.168.2.3194.5.156.24
                                          Dec 22, 2020 21:51:11.798038960 CET49729443192.168.2.3194.5.156.24
                                          Dec 22, 2020 21:51:11.822081089 CET44349729194.5.156.24192.168.2.3
                                          Dec 22, 2020 21:51:11.865906954 CET49729443192.168.2.3194.5.156.24
                                          Dec 22, 2020 21:51:11.890585899 CET44349729194.5.156.24192.168.2.3
                                          Dec 22, 2020 21:51:11.932780981 CET49729443192.168.2.3194.5.156.24
                                          Dec 22, 2020 21:51:17.713191986 CET44349729194.5.156.24192.168.2.3
                                          Dec 22, 2020 21:51:17.713237047 CET44349729194.5.156.24192.168.2.3
                                          Dec 22, 2020 21:51:17.713512897 CET49729443192.168.2.3194.5.156.24
                                          Dec 22, 2020 21:52:51.960719109 CET49729443192.168.2.3194.5.156.24
                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 22, 2020 21:50:55.592377901 CET5836153192.168.2.38.8.8.8
                                          Dec 22, 2020 21:50:55.616774082 CET53583618.8.8.8192.168.2.3
                                          Dec 22, 2020 21:50:59.990118980 CET6349253192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:00.025829077 CET53634928.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:02.295015097 CET6083153192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:02.322139025 CET53608318.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:03.575201035 CET6010053192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:03.610560894 CET53601008.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:04.247205019 CET5319553192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:04.271696091 CET53531958.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:05.434782982 CET5014153192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:05.470501900 CET53501418.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:06.589452028 CET5302353192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:06.613830090 CET53530238.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:07.589210033 CET4956353192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:07.622077942 CET53495638.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:08.249258041 CET5135253192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:08.273627996 CET53513528.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:08.907733917 CET5934953192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:08.932039022 CET53593498.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:09.549938917 CET5708453192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:09.584764004 CET53570848.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:10.287733078 CET5882353192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:10.312114954 CET53588238.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:11.121953964 CET5756853192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:11.146351099 CET53575688.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:11.608711004 CET5054053192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:11.664942026 CET53505408.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:12.123415947 CET5436653192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:12.148087978 CET53543668.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:23.585604906 CET5303453192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:23.609998941 CET53530348.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:27.780776024 CET5776253192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:27.827308893 CET53577628.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:28.940970898 CET5543553192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:28.977741957 CET53554358.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:41.858010054 CET5071353192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:41.885195971 CET53507138.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:45.598160028 CET5613253192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:45.625443935 CET53561328.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:46.887651920 CET5898753192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:46.938136101 CET53589878.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:48.315212011 CET5657953192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:48.340008020 CET53565798.8.8.8192.168.2.3
                                          Dec 22, 2020 21:51:51.477916956 CET6063353192.168.2.38.8.8.8
                                          Dec 22, 2020 21:51:51.512207985 CET53606338.8.8.8192.168.2.3
                                          Dec 22, 2020 21:52:24.284394979 CET6129253192.168.2.38.8.8.8
                                          Dec 22, 2020 21:52:24.308845997 CET53612928.8.8.8192.168.2.3
                                          Dec 22, 2020 21:52:24.612776995 CET6361953192.168.2.38.8.8.8
                                          Dec 22, 2020 21:52:24.653426886 CET53636198.8.8.8192.168.2.3
                                          Dec 22, 2020 21:52:49.938246965 CET6493853192.168.2.38.8.8.8
                                          Dec 22, 2020 21:52:49.962661982 CET53649388.8.8.8192.168.2.3
                                          Dec 22, 2020 21:53:22.543087006 CET6194653192.168.2.38.8.8.8
                                          Dec 22, 2020 21:53:22.543432951 CET6491053192.168.2.38.8.8.8
                                          Dec 22, 2020 21:53:22.577122927 CET53649108.8.8.8192.168.2.3
                                          Dec 22, 2020 21:53:22.582959890 CET53619468.8.8.8192.168.2.3
                                          Dec 22, 2020 21:53:43.027098894 CET5212353192.168.2.38.8.8.8
                                          Dec 22, 2020 21:53:43.143749952 CET53521238.8.8.8192.168.2.3
                                          Dec 22, 2020 21:53:43.712729931 CET5613053192.168.2.38.8.8.8
                                          Dec 22, 2020 21:53:43.748471022 CET53561308.8.8.8192.168.2.3
                                          Dec 22, 2020 21:53:44.403774977 CET5633853192.168.2.38.8.8.8
                                          Dec 22, 2020 21:53:44.437979937 CET53563388.8.8.8192.168.2.3
                                          Dec 22, 2020 21:53:44.786068916 CET5942053192.168.2.38.8.8.8
                                          Dec 22, 2020 21:53:44.818578959 CET53594208.8.8.8192.168.2.3
                                          Dec 22, 2020 21:53:47.705167055 CET5878453192.168.2.38.8.8.8
                                          Dec 22, 2020 21:53:47.738282919 CET53587848.8.8.8192.168.2.3
                                          Dec 22, 2020 21:53:48.115478992 CET6397853192.168.2.38.8.8.8
                                          Dec 22, 2020 21:53:48.148287058 CET53639788.8.8.8192.168.2.3
                                          Dec 22, 2020 21:53:48.741339922 CET6293853192.168.2.38.8.8.8
                                          Dec 22, 2020 21:53:48.779218912 CET53629388.8.8.8192.168.2.3
                                          Dec 22, 2020 21:53:49.501714945 CET5570853192.168.2.38.8.8.8
                                          Dec 22, 2020 21:53:49.534647942 CET53557088.8.8.8192.168.2.3
                                          Dec 22, 2020 21:53:50.387211084 CET5680353192.168.2.38.8.8.8
                                          Dec 22, 2020 21:53:50.422147989 CET53568038.8.8.8192.168.2.3
                                          Dec 22, 2020 21:53:50.977252007 CET5714553192.168.2.38.8.8.8
                                          Dec 22, 2020 21:53:51.009991884 CET53571458.8.8.8192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Dec 22, 2020 21:51:11.608711004 CET192.168.2.38.8.8.80x5e3dStandard query (0)krixx.xyzA (IP address)IN (0x0001)
                                          Dec 22, 2020 21:53:22.543432951 CET192.168.2.38.8.8.80xc7beStandard query (0)cdn.onenote.netA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Dec 22, 2020 21:51:11.664942026 CET8.8.8.8192.168.2.30x5e3dNo error (0)krixx.xyz194.5.156.24A (IP address)IN (0x0001)
                                          Dec 22, 2020 21:53:22.577122927 CET8.8.8.8192.168.2.30xc7beNo error (0)cdn.onenote.netcdn.onenote.net.edgekey.netCNAME (Canonical name)IN (0x0001)

                                          HTTPS Packets

                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                          Dec 22, 2020 21:51:11.789319038 CET194.5.156.24443192.168.2.349729CN=krixx.xyz CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Nov 04 19:38:23 CET 2020 Thu Mar 17 17:40:46 CET 2016Tue Feb 02 19:38:23 CET 2021 Wed Mar 17 17:40:46 CET 2021771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                          CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Thu Mar 17 17:40:46 CET 2016Wed Mar 17 17:40:46 CET 2021

                                          Code Manipulations

                                          Statistics

                                          CPU Usage

                                          050100150s020406080100

                                          Click to jump to process

                                          Memory Usage

                                          050100150s0.0020406080100MB

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          • File
                                          • Registry
                                          • Network

                                          Click to dive into process behavior distribution

                                          System Behavior

                                          Analysis Process: KX Trainer V2.exe PID: 4808 Parent PID: 5508

                                          Function Logs

                                          General

                                          Start time:21:51:02
                                          Start date:22/12/2020
                                          Path:C:\Users\user\Desktop\KX Trainer V2.exe
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Users\user\Desktop\KX Trainer V2.exe'
                                          Imagebase:0x1c6bc420000
                                          File size:7560192 bytes
                                          MD5 hash:9DB4648C520D1CD911AED6E624B8C73E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Reputation:low
                                          Show Windows behavior

                                          File Activities

                                          Show Windows behavior

                                          Section Activities

                                          Show Windows behavior

                                          Registry Activities

                                          Show Windows behavior

                                          Mutex Activities

                                          Show Windows behavior

                                          Process Activities

                                          Show Windows behavior

                                          Thread Activities

                                          Show Windows behavior

                                          Memory Activities

                                          Show Windows behavior

                                          System Activities

                                          Show Windows behavior

                                          Timing Activities

                                          Show Windows behavior

                                          Windows UI Activities

                                          Show Windows behavior

                                          Network Activities

                                          Show Windows behavior

                                          Process Token Activities

                                          Show Windows behavior

                                          Object Security Activities

                                          Show Windows behavior

                                          LPC Port Activities

                                          Disassembly

                                          Code Analysis