Windows Analysis Report
PO.exe

Overview

General Information

Sample Name: PO.exe
Analysis ID: 830558
MD5: 03d90e26c8a6fbbeb284359b0f90ee91
SHA1: 68b83832a4423003564a8df9af2cda29622190a0
SHA256: eb2ad014aa499fd10c8ec16353295ace996e28a7d822097caf7bd11929c0b558
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: PO.exe ReversingLabs: Detection: 38%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe ReversingLabs: Detection: 38%
Machine Learning detection for sample
Source: PO.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Joe Sandbox ML: detected
Source: 0.2.PO.exe.3f2eeb0.8.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "us2.smtp.mailhostbox.com", "Username": "sudeni@dalwabo-jp.com", "Password": " dLm)Xyz9 "}
Uses 32bit PE files
Source: PO.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PO.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wAGa.pdb source: PO.exe, keWKhH.exe.6.dr
Source: Binary string: wAGa.pdbSHA256 source: PO.exe, keWKhH.exe.6.dr
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.198.143 208.91.198.143
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49700 -> 208.91.198.143:587
Source: global traffic TCP traffic: 192.168.2.3:49703 -> 208.91.199.223:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49700 -> 208.91.198.143:587
Source: global traffic TCP traffic: 192.168.2.3:49703 -> 208.91.199.223:587
Source: PO.exe, 00000006.00000002.533158671.00000000012C0000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.553635276.00000000068B4000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.000000000129D000.00000004.00000020.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.533734950.0000000000E48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.000000000129D000.00000004.00000020.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: PO.exe, 00000006.00000002.533158671.00000000012C0000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.000000000129D000.00000004.00000020.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0A
Source: PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.000000000129D000.00000004.00000020.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: unknown DNS traffic detected: queries for: us2.smtp.mailhostbox.com
Creates a DirectInput object (often for capturing keystrokes)
Source: keWKhH.exe, 0000000B.00000002.330356628.00000000007B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Uses 32bit PE files
Source: PO.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Detected potential crypto function
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_00FDC844 0_2_00FDC844
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_00FDF1F8 0_2_00FDF1F8
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_00FDF1E8 0_2_00FDF1E8
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_054A0040 0_2_054A0040
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_054A0006 0_2_054A0006
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_054A02D1 0_2_054A02D1
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_054A02E0 0_2_054A02E0
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_054A9D40 0_2_054A9D40
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_05B302E0 0_2_05B302E0
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_05B348C0 0_2_05B348C0
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_02D6A9B8 6_2_02D6A9B8
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_02D6C978 6_2_02D6C978
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_02D69DA0 6_2_02D69DA0
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_02D6A0E8 6_2_02D6A0E8
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06325668 6_2_06325668
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06320400 6_2_06320400
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_063223E8 6_2_063223E8
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_063273C8 6_2_063273C8
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06329008 6_2_06329008
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06321D28 6_2_06321D28
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06326A38 6_2_06326A38
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06AACEC0 6_2_06AACEC0
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06AA3E51 6_2_06AA3E51
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06AA0040 6_2_06AA0040
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06AAF188 6_2_06AAF188
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06AABFC8 6_2_06AABFC8
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06AAAD48 6_2_06AAAD48
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06AA3A48 6_2_06AA3A48
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06AAF390 6_2_06AAF390
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06AAF8FF 6_2_06AAF8FF
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06AA81A0 6_2_06AA81A0
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_022CC844 11_2_022CC844
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_022CF1E8 11_2_022CF1E8
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_022CF1F8 11_2_022CF1F8
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_04A80240 11_2_04A80240
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_04A84278 11_2_04A84278
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_04A80882 11_2_04A80882
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_065E02D1 11_2_065E02D1
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_065E02E0 11_2_065E02E0
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_065E0040 11_2_065E0040
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_065E0006 11_2_065E0006
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_065F02E0 11_2_065F02E0
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_065F4940 11_2_065F4940
Sample file is different than original file name gathered from version info
Source: PO.exe, 00000000.00000000.264075707.0000000000748000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewAGa.exe> vs PO.exe
Source: PO.exe, 00000000.00000002.312416410.0000000007340000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameOutimurs.dll2 vs PO.exe
Source: PO.exe, 00000000.00000002.302999935.0000000003B79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOutimurs.dll2 vs PO.exe
Source: PO.exe, 00000000.00000002.289521683.0000000002C47000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCruiser.dll, vs PO.exe
Source: PO.exe, 00000000.00000002.302999935.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename48fb3650-a520-48b4-9e2f-1fc3b6395358.exe4 vs PO.exe
Source: PO.exe, 00000000.00000002.289521683.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCruiser.dll, vs PO.exe
Source: PO.exe, 00000000.00000002.289521683.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename48fb3650-a520-48b4-9e2f-1fc3b6395358.exe4 vs PO.exe
Source: PO.exe, 00000006.00000002.532341288.0000000000F88000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO.exe
Source: PO.exe, 00000006.00000002.531388720.000000000042C000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename48fb3650-a520-48b4-9e2f-1fc3b6395358.exe4 vs PO.exe
Source: PO.exe Binary or memory string: OriginalFilenamewAGa.exe> vs PO.exe
Source: PO.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: keWKhH.exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PO.exe ReversingLabs: Detection: 38%
Source: C:\Users\user\Desktop\PO.exe File read: C:\Users\user\Desktop\PO.exe Jump to behavior
Source: PO.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO.exe C:\Users\user\Desktop\PO.exe
Source: C:\Users\user\Desktop\PO.exe Process created: C:\Users\user\Desktop\PO.exe C:\Users\user\Desktop\PO.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe "C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe"
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe "C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe"
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Source: C:\Users\user\Desktop\PO.exe Process created: C:\Users\user\Desktop\PO.exe C:\Users\user\Desktop\PO.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@13/4@4/2
Source: PO.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\PO.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PO.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PO.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: PO.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: PO.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wAGa.pdb source: PO.exe, keWKhH.exe.6.dr
Source: Binary string: wAGa.pdbSHA256 source: PO.exe, keWKhH.exe.6.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_00FDCB38 pushfd ; ret 0_2_00FDCB39
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_054A4106 push es; ret 0_2_054A4107
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_054A40BD push ebx; ret 0_2_054A40C3
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_05B30924 push es; retf 0_2_05B30935
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06AA6660 push es; ret 6_2_06AA6670
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_06AA5FB5 push es; ret 6_2_06AA5FBC
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_065E6371 push es; ret 11_2_065E6380
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_065E633D push es; ret 11_2_065E6370
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_065E6021 push es; ret 11_2_065E6048
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_065E40BD push ebx; ret 11_2_065E40C3
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_065E4106 push es; ret 11_2_065E4107
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Code function: 11_2_065F0924 push es; retf 11_2_065F0935
Source: initial sample Static PE information: section name: .text entropy: 7.870304849303137
Source: initial sample Static PE information: section name: .text entropy: 7.870304849303137
Drops PE files
Source: C:\Users\user\Desktop\PO.exe File created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run keWKhH Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run keWKhH Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PO.exe File opened: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO.exe TID: 5224 Thread sleep time: -40023s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 5192 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 5916 Thread sleep count: 6216 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -99841s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -99732s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -99623s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -99509s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -99391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -99250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -99141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -99016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -98875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -98766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -98641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -98529s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -98419s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -98288s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -98159s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -98000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -97872s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -97753s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -97622s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -97516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -97394s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -97242s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -97121s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -97000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -96889s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -96749s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 1244 Thread sleep time: -40023s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2108 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 5352 Thread sleep count: 5784 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -99842s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -99730s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -99621s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -99512s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -99378s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -99250s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -99140s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -99030s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -98921s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -98812s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -98703s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -98576s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -98467s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -98358s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -98249s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -98140s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -98029s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -97919s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -97811s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -97702s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -97592s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -97482s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -97176s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -97054s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -96929s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 6068 Thread sleep time: -40023s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2228 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 5560 Thread sleep count: 7608 > 30
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -99843s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -99734s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -99609s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -99500s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -99390s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -99281s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -99147s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -99031s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -98922s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -98797s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -98687s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -98187s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -98078s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -97961s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -97843s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -97719s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -97609s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -97500s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -97391s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -97281s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -97172s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -97063s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -96907s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -96796s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -96687s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -96578s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -96469s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -96359s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -96249s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -96138s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -96030s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096 Thread sleep time: -922337203685477s >= -30000s
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PO.exe Window / User API: threadDelayed 6216 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Window / User API: threadDelayed 5784 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Window / User API: threadDelayed 7608
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 40023 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 99841 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 99732 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 99623 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 99509 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 99391 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 99250 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 99141 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 99016 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 98875 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 98766 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 98641 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 98529 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 98419 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 98288 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 98159 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 98000 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 97872 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 97753 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 97622 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 97516 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 97394 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 97242 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 97121 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 97000 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 96889 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 96749 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 40023 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99842 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99730 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99621 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99512 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99378 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99250 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99140 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99030 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98921 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98812 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98703 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98576 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98467 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98358 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98249 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98140 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98029 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97919 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97811 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97702 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97592 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97482 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97176 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97054 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 96929 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 40023 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99843
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99734
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99609
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99500
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99390
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99281
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99147
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 99031
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98922
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98797
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98687
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98297
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98187
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 98078
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97961
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97843
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97719
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97609
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97500
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97391
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97281
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97172
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 97063
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 96907
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 96796
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 96687
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 96578
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 96469
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 96359
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 96249
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 96138
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 96030
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Thread delayed: delay time: 922337203685477
Source: PO.exe, 00000006.00000002.533158671.000000000129D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\PO.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Memory written: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Memory written: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO.exe Process created: C:\Users\user\Desktop\PO.exe C:\Users\user\Desktop\PO.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Users\user\Desktop\PO.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Users\user\Desktop\PO.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Code function: 6_2_02D6F6D8 GetUserNameW, 6_2_02D6F6D8

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000006.00000002.536082591.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.536562013.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.536833086.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO.exe PID: 1116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: keWKhH.exe PID: 4980, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: keWKhH.exe PID: 3180, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\PO.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PO.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\PO.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000002.536082591.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.536562013.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.536833086.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO.exe PID: 1116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: keWKhH.exe PID: 4980, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: keWKhH.exe PID: 3180, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000006.00000002.536082591.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.536562013.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.536833086.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO.exe PID: 1116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: keWKhH.exe PID: 4980, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: keWKhH.exe PID: 3180, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830558 Sample: PO.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AgentTesla 2->47 49 Machine Learning detection for sample 2->49 6 PO.exe 3 2->6         started        10 keWKhH.exe 3 2->10         started        12 keWKhH.exe 2 2->12         started        process3 file4 27 C:\Users\user\AppData\Local\...\PO.exe.log, ASCII 6->27 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->53 14 PO.exe 2 5 6->14         started        55 Multi AV Scanner detection for dropped file 10->55 57 Machine Learning detection for dropped file 10->57 59 Injects a PE file into a foreign processes 10->59 19 keWKhH.exe 2 10->19         started        21 keWKhH.exe 10->21         started        23 keWKhH.exe 2 12->23         started        25 keWKhH.exe 12->25         started        signatures5 process6 dnsIp7 33 us2.smtp.mailhostbox.com 208.91.198.143, 49700, 49702, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->33 29 C:\Users\user\AppData\Roaming\...\keWKhH.exe, PE32 14->29 dropped 31 C:\Users\user\...\keWKhH.exe:Zone.Identifier, ASCII 14->31 dropped 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->37 39 Tries to steal Mail credentials (via file / registry access) 14->39 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->41 35 208.91.199.223, 49703, 587 PUBLIC-DOMAIN-REGISTRYUS United States 23->35 43 Tries to harvest and steal browser information (history, passwords, etc) 23->43 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.198.143
 us2.smtp.mailhostbox.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
208.91.199.223
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.198.143 true