Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kdsyitkxmS.exe

Overview

General Information

Sample Name:kdsyitkxmS.exe
Original Sample Name:01fe6ba28d82175d35665b3eb6ed8cea.exe
Analysis ID:877005
MD5:01fe6ba28d82175d35665b3eb6ed8cea
SHA1:45748a6d6474f470d44e848596e0e08bce674996
SHA256:626df082c2624d9530794881921094aa100fa0a805b1544112d5a07dbe12cbc2
Tags:32exe
Infos:

Detection

Glupteba
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Glupteba
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Uses netsh to modify the Windows network and firewall settings
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Creates files in the system32 config directory
Modifies the windows firewall
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains functionality to read the PEB
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • kdsyitkxmS.exe (PID: 4652 cmdline: C:\Users\user\Desktop\kdsyitkxmS.exe MD5: 01FE6BA28D82175D35665B3EB6ED8CEA)
    • powershell.exe (PID: 5948 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • kdsyitkxmS.exe (PID: 3320 cmdline: C:\Users\user\Desktop\kdsyitkxmS.exe MD5: 01FE6BA28D82175D35665B3EB6ED8CEA)
      • powershell.exe (PID: 7000 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5952 cmdline: C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • netsh.exe (PID: 2576 cmdline: netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes MD5: 98CC37BBF363A38834253E22C80A8F32)
      • powershell.exe (PID: 2080 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 4820 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 1812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
GluptebaGlupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmpSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth (Nextron Systems)
  • 0x3b8597:$x1: https://cdn.discordapp.com/attachments/
00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmpSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth (Nextron Systems)
  • 0x3b7997:$x1: https://cdn.discordapp.com/attachments/
00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmpSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth (Nextron Systems)
  • 0x3b8597:$x1: https://cdn.discordapp.com/attachments/
Click to see the 11 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
5.3.kdsyitkxmS.exe.3e41700.0.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth (Nextron Systems)
  • 0x39858:$s2: The Magic Word!
  • 0x45998:$s2: The Magic Word!
  • 0x39bb8:$s3: Software\Oracle\VirtualBox
  • 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.kdsyitkxmS.exe.a1cb00.7.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth (Nextron Systems)
  • 0x3f458:$s2: The Magic Word!
  • 0x4b598:$s2: The Magic Word!
  • 0x3f7b8:$s3: Software\Oracle\VirtualBox
  • 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.3.kdsyitkxmS.exe.3fcbb00.5.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth (Nextron Systems)
  • 0x3f458:$s2: The Magic Word!
  • 0x4b598:$s2: The Magic Word!
  • 0x3f7b8:$s3: Software\Oracle\VirtualBox
  • 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
5.2.kdsyitkxmS.exe.3552567.10.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth (Nextron Systems)
  • 0x39858:$s2: The Magic Word!
  • 0x45998:$s2: The Magic Word!
  • 0x39bb8:$s3: Software\Oracle\VirtualBox
  • 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.kdsyitkxmS.exe.36f2287.10.raw.unpackMAL_ME_RawDisk_Agent_Jan20_2Detects suspicious malware using ElRawDiskFlorian Roth (Nextron Systems)
  • 0x29b38:$s2: The Magic Word!
  • 0x35c78:$s2: The Magic Word!
  • 0x29e98:$s3: Software\Oracle\VirtualBox
  • 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
Click to see the 25 entries

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: kdsyitkxmS.exeReversingLabs: Detection: 32%
Source: kdsyitkxmS.exeVirustotal: Detection: 31%Perma Link
Yara detected Glupteba
Source: Yara matchFile source: 0.2.kdsyitkxmS.exe.30c0e67.14.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.kdsyitkxmS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.3.kdsyitkxmS.exe.39b0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.kdsyitkxmS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.3.kdsyitkxmS.exe.3820000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.kdsyitkxmS.exe.2f30e67.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 4652, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 3320, type: MEMORYSTR
Antivirus detection for URL or domain
Source: https://duniadekho.barAvira URL Cloud: Label: malware
Source: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionAvira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://duniadekho.barVirustotal: Detection: 20%Perma Link
Machine Learning detection for sample
Source: kdsyitkxmS.exeJoe Sandbox ML: detected

Bitcoin Miner

barindex
Yara detected Glupteba
Source: Yara matchFile source: 0.2.kdsyitkxmS.exe.30c0e67.14.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.kdsyitkxmS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.3.kdsyitkxmS.exe.39b0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.kdsyitkxmS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.3.kdsyitkxmS.exe.3820000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.kdsyitkxmS.exe.2f30e67.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 4652, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 3320, type: MEMORYSTR

Compliance

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\kdsyitkxmS.exeUnpacked PE file: 0.2.kdsyitkxmS.exe.400000.0.unpack
Source: C:\Users\user\Desktop\kdsyitkxmS.exeUnpacked PE file: 5.2.kdsyitkxmS.exe.400000.0.unpack
Source: kdsyitkxmS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
Source: Binary string: Loader.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EfiGuardDxe.pdb7 source: kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmp
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: symsrv.pdb source: kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000004098000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000037A9000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000C79000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: .pdb.dbg source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: '(EfiGuardDxe.pdbx source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: symsrv.pdbGCTL source: kdsyitkxmS.exe, 00000000.00000003.353503298.0000000004228000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003939000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000004098000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000037A9000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000C79000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: ZZC:\winirun92 cedojuhexoy.pdb source: kdsyitkxmS.exe
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: EfiGuardDxe.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\winirun92 cedojuhexoy.pdb source: kdsyitkxmS.exe
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp

Networking

barindex
Found Tor onion address
Source: kdsyitkxmS.exeString found in binary or memory: .2.0edwards25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds
Source: kdsyitkxmS.exeString found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zeroint
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: !This program cannoHKEY_USERS\S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\TestAppHKEY_USERS\S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttps://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionSELECT Caption FROM Win32_OperatingSystemMicrosoft Windows 10 ProPacific Standard Time2023/05/28 11:19:03 current filenname with args "C:\Users\user\Desktop\kdsyitkxmS.exe"
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C0E6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionCommonProgramW6432=C:\Program Files\Common Files
Source: kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: kdsyitkxmS.exe, 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C0E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C0DE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C0DE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ?-&52$1631313626321023042b113f2d26353224http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\TestAppS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8FirstInstallDateS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8FirstInstallDateS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8SELECT Name FROM Win32_VideoControllerS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8current filenname with args "C:\Users\user\Desktop\kdsyitkxmS.exe"
Source: kdsyitkxmS.exeString found in binary or memory: .2.0edwards25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds
Source: kdsyitkxmS.exeString found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zeroint
Source: kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ?-&52$1631313626321023042b113f2d26353224http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\TestAppS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8FirstInstallDateS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8current filenname with args "C:\Users\user\Desktop\kdsyitkxmS.exe"
Source: kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wshC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.mscLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsh
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0E2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionCommonProgramW6432=C:\Program Files\Common FilesCommonProgramW6432=C:\Program Files\Common Files
Source: kdsyitkxmS.exeString found in binary or memory: Intel Mac OS X; U; en) Presto/2.6.30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: internal error: handshake returned an error but is marked successfultls: received unexpected handshake message of type %T when wait equals www.facebook.com (Facebook)
Source: kdsyitkxmS.exeString found in binary or memory: :1.6) Gecko Debian/1.6-7Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)269599466671506397946670150870196259404578077144243917216827223680612695994666715063979466701508701963 equals www.facebook.com (Facebook)
Source: kdsyitkxmS.exeString found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
Source: kdsyitkxmS.exe, 00000000.00000002.370479632.0000000002CC1000.00000040.00000020.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.g
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: powershell.exe, 0000000B.00000003.451055312.0000000003442000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.619667106.0000000003379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: kdsyitkxmS.exeString found in binary or memory: http://gais.cs.ccu.edu.tw/robot.php)Gulper
Source: kdsyitkxmS.exeString found in binary or memory: http://grub.org)Mozilla/5.0
Source: kdsyitkxmS.exeString found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://https://_bad_pdb_file.pdb
Source: kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://invalidlog.txtlookup
Source: kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: kdsyitkxmS.exeString found in binary or memory: http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency
Source: powershell.exe, 0000000B.00000002.514376329.0000000005369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.490620541.0000000008071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.480261495.0000000008062000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.514376329.0000000005231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.622138820.00000000051F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: kdsyitkxmS.exeString found in binary or memory: http://search.msn.com/msnbot.htm)net/htt
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C096000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionS-1-5-21-3853321935-2125563209-
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0DA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://vcr4vuv4sf5233btfy7xboez
Source: kdsyitkxmS.exeString found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:
Source: kdsyitkxmS.exeString found in binary or memory: http://www.alexa.com/help/webmasters;
Source: kdsyitkxmS.exeString found in binary or memory: http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0
Source: powershell.exe, 0000000B.00000002.514376329.0000000005369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.490620541.0000000008071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.480261495.0000000008062000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: kdsyitkxmS.exeString found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
Source: kdsyitkxmS.exeString found in binary or memory: http://www.avantbrowser.com
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: kdsyitkxmS.exeString found in binary or memory: http://www.bloglines.com)Frame
Source: kdsyitkxmS.exeString found in binary or memory: http://www.everyfeed.com)explicit
Source: kdsyitkxmS.exeString found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
Source: kdsyitkxmS.exeString found in binary or memory: http://www.google.
Source: kdsyitkxmS.exeString found in binary or memory: http://www.google.com/adsbot.html)Encountered
Source: kdsyitkxmS.exeString found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: kdsyitkxmS.exeString found in binary or memory: http://www.google.com/bot.html)crypto/ecdh:
Source: kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: kdsyitkxmS.exeString found in binary or memory: http://www.googlebot.com/bot.html)Links
Source: kdsyitkxmS.exeString found in binary or memory: http://www.spidersoft.com)Wg
Source: kdsyitkxmS.exeString found in binary or memory: http://yandex.com/
Source: kdsyitkxmS.exeString found in binary or memory: http://yandex.com/bots)Opera/9.51
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://blockchain.infoindex
Source: kdsyitkxmS.exeString found in binary or memory: https://cdn.discordapp.com/attachments/1087398815188910163/1087399133926674453/LZ.zipreflect.Value.I
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C096000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C088000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C094000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C08E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.bar
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C094000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C09C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barMicrosoft
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C0E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C0E6000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0E2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionCommonPro
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttps://d
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C08E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barhttps://duniadekho.barRegQueryValueExWUUIDPGDSE64-bitc:
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C088000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duniadekho.barhttps://duniadekho.barRegQueryValueExWhttps://duniadekho.barUUIDUUIDPGDSEPGDSE
Source: powershell.exe, 0000000B.00000002.514376329.0000000005369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.490620541.0000000008071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.480261495.0000000008062000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: kdsyitkxmS.exeString found in binary or memory: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-p
Source: powershell.exe, 0000000B.00000003.473426279.0000000005BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.microT
Source: kdsyitkxmS.exeString found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize
Source: kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
Source: kdsyitkxmS.exe, 00000000.00000002.369943446.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

barindex
Yara detected Glupteba
Source: Yara matchFile source: 0.2.kdsyitkxmS.exe.30c0e67.14.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.kdsyitkxmS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.3.kdsyitkxmS.exe.39b0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.kdsyitkxmS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.3.kdsyitkxmS.exe.3820000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.kdsyitkxmS.exe.2f30e67.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 4652, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 3320, type: MEMORYSTR

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.370479632.0000000002CC1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: kdsyitkxmS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 5.3.kdsyitkxmS.exe.3e41700.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.kdsyitkxmS.exe.a1cb00.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.3.kdsyitkxmS.exe.3fcbb00.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.kdsyitkxmS.exe.3552567.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.kdsyitkxmS.exe.36f2287.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.3.kdsyitkxmS.exe.3fd1700.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.kdsyitkxmS.exe.36e2567.15.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.kdsyitkxmS.exe.a22700.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.kdsyitkxmS.exe.a1cb00.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.3.kdsyitkxmS.exe.3fe1420.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.kdsyitkxmS.exe.a32420.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.kdsyitkxmS.exe.36dc967.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.kdsyitkxmS.exe.354c967.12.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.3.kdsyitkxmS.exe.3e3bb00.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.kdsyitkxmS.exe.3562287.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.kdsyitkxmS.exe.a32420.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.3.kdsyitkxmS.exe.3e51420.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.3.kdsyitkxmS.exe.39b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0.2.kdsyitkxmS.exe.a22700.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.kdsyitkxmS.exe.2f30e67.9.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0.2.kdsyitkxmS.exe.30c0e67.14.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 5.2.kdsyitkxmS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 5.3.kdsyitkxmS.exe.3820000.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0.2.kdsyitkxmS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000000.00000002.370479632.0000000002CC1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_uyxuby1g.134.ps1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShellJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
Source: kdsyitkxmS.exeBinary or memory string: OriginalFilename vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000000.00000003.353503298.0000000004228000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000000.00000003.353503298.0000000004228000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003939000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003939000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000C79000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000C79000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs kdsyitkxmS.exe
Source: kdsyitkxmS.exeBinary or memory string: OriginalFilename vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000005.00000003.368338557.0000000004098000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000005.00000003.368338557.0000000004098000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.00000000037A9000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.00000000037A9000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000C79000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000C79000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exeStatic PE information: invalid certificate
Source: kdsyitkxmS.exeReversingLabs: Detection: 32%
Source: kdsyitkxmS.exeVirustotal: Detection: 31%
Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile read: C:\Users\user\Desktop\kdsyitkxmS.exeJump to behavior
Source: kdsyitkxmS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\kdsyitkxmS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\kdsyitkxmS.exe C:\Users\user\Desktop\kdsyitkxmS.exe
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Users\user\Desktop\kdsyitkxmS.exe C:\Users\user\Desktop\kdsyitkxmS.exe
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofileJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofileJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofileJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofileJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yesJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zon3rn2d.2u2.ps1Jump to behavior
Source: classification engineClassification label: mal100.troj.evad.winEXE@19/9@0/0
Source: kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C0B4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT OSArchitecture FROM Win32_OperatingSystem.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCDriverData=C:\Windows\System32\Drivers\DriverData
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeCode function: 0_2_02CC17C6 CreateToolhelp32Snapshot,Module32First,0_2_02CC17C6
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1812:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_01
Source: kdsyitkxmS.exeString found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
Source: kdsyitkxmS.exeString found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
Source: kdsyitkxmS.exeString found in binary or memory: current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address is emptyafter ob
Source: kdsyitkxmS.exeString found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
Source: kdsyitkxmS.exeString found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
Source: kdsyitkxmS.exeString found in binary or memory: 1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind in runfinqbad noti
Source: kdsyitkxmS.exeString found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
Source: kdsyitkxmS.exeString found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
Source: kdsyitkxmS.exeString found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
Source: kdsyitkxmS.exeString found in binary or memory: current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address is emptyafter ob
Source: kdsyitkxmS.exeString found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
Source: kdsyitkxmS.exeString found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
Source: kdsyitkxmS.exeString found in binary or memory: 1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind in runfinqbad noti
Source: kdsyitkxmS.exeString found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: kdsyitkxmS.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
Source: kdsyitkxmS.exeStatic file information: File size 4379008 > 1048576
Source: kdsyitkxmS.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x40b400
Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: kdsyitkxmS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Loader.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EfiGuardDxe.pdb7 source: kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmp
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: symsrv.pdb source: kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000004098000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000037A9000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000C79000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: .pdb.dbg source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: '(EfiGuardDxe.pdbx source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: symsrv.pdbGCTL source: kdsyitkxmS.exe, 00000000.00000003.353503298.0000000004228000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003939000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000004098000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000037A9000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000C79000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: ZZC:\winirun92 cedojuhexoy.pdb source: kdsyitkxmS.exe
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: EfiGuardDxe.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\winirun92 cedojuhexoy.pdb source: kdsyitkxmS.exe
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdb source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: kdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\kdsyitkxmS.exeUnpacked PE file: 0.2.kdsyitkxmS.exe.400000.0.unpack
Source: C:\Users\user\Desktop\kdsyitkxmS.exeUnpacked PE file: 5.2.kdsyitkxmS.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\kdsyitkxmS.exeUnpacked PE file: 0.2.kdsyitkxmS.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\Desktop\kdsyitkxmS.exeUnpacked PE file: 5.2.kdsyitkxmS.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\Desktop\kdsyitkxmS.exeCode function: 0_2_02CC5D59 pushad ; ret 0_2_02CC5D80
Source: C:\Users\user\Desktop\kdsyitkxmS.exeCode function: 0_2_02CC316A pushfd ; ret 0_2_02CC31B2
Source: C:\Users\user\Desktop\kdsyitkxmS.exeCode function: 0_2_02CC5C7E pushad ; ret 0_2_02CC5C90
Source: C:\Users\user\Desktop\kdsyitkxmS.exeCode function: 5_2_02B39C7E pushad ; ret 5_2_02B39C90
Source: C:\Users\user\Desktop\kdsyitkxmS.exeCode function: 5_2_02B3716A pushfd ; ret 5_2_02B371B2
Source: C:\Users\user\Desktop\kdsyitkxmS.exeCode function: 5_2_02B39D59 pushad ; ret 5_2_02B39D80
Source: kdsyitkxmS.exeStatic PE information: real checksum: 0x435435 should be: 0x4373eb

Persistence and Installation Behavior

barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\netsh.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\PeerDistRepubJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C186000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C19A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMUSRVC.EXE
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEMCREATEFILEW[SYSTEM PROCESS]SYSTEMREGISTRYREGISTRYSMSS.EXECSRSS.EXEWININIT.EXECSRSS.EXEWINLOGON.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESHAREDINTAPP.EXESVCHOST.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXESHAREDINTAPP.EXEWMIPRVSE.EXEWMIPRVSE.EXESHAREDINTAPP.EXESHAREDINTAPP.EXEKDSYITKXMS.EXESHAREDINTAPP.EXE[SYSTEM PROCESS]VMSRVC.EXEVMUSRVC.EXESYSTEMSYSTEMVMSRVC.EXEVMUSRVC.EXEREGISTRYREGISTRY$
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C19A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: QCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXESHELLEXPERIENCEHOST.EXEBACKGROUNDTASKHOST.EXEBACKGROUNDTASKHOST.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXEQCQJZSHHHQTRSIOQQUC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESIHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXECTFMON.EXEVMSRVC.EXEVMUSRVC.EXEEXPLORER.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEDLLHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESEARCHUI.EXESEARCHUI.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEHXTSR.EXEHXTSR.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEWMIPRVSE.EXEWMIPRVSE.EXEVMSRVC.EXEVMUSRVC.EXEDLLHOST.EXEVMSRVC.EXEVMUSRVC.EXEWMIPRVSE.EXEWMIPRVSE.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESGRMBROKER.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EX
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: kdsyitkxmS.exeBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIES
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6848Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7036Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5952Thread sleep time: -11068046444225724s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9452Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9290Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8450Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 864Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened / queried: VBoxGuestJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened / queried: vmciJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened / queried: HGFSJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened / queried: VBoxTrayIPCJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened / queried: \pipe\VBoxTrayIPCJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeFile opened / queried: VBoxMiniRdrDNJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 0000000B.00000003.473426279.0000000005BE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C19A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeShellExperienceHost.exebackgroundTaskHost.exebackgroundTaskHost.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesihost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exectfmon.exevmsrvc.exevmusrvc.exeexplorer.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exedllhost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exeSearchUI.exesearchui.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exeHxTsr.exehxtsr.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exeWmiPrvSE.exewmiprvse.exevmsrvc.exevmusrvc.exedllhost.exevmsrvc.exevmusrvc.exeWmiPrvSE.exewmiprvse.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesgrmbroker.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.ex
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C192000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RuntimeBroker.exeRuntimeBroker.exeTrustedInstaller.exe\\.\VBoxMiniRdrDNMemory CompressionTrustedInstaller.exeMemory CompressionRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeTrustedInstaller.exeTrustedInstaller.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrssAPPDATA=C:\Windows\system32\config\systemprofile\AppData\RoamingLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6TEMP=C:\Windows\TEMPTMP=C:\Windows\TEMPUSERDOMAIN=WORKGROUPwindir=C:\WindowsLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntel
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C186000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C19A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc.exe
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
Source: kdsyitkxmS.exe, 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: aryvmcixn-SE-
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C00E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemuvirtual
Source: kdsyitkxmS.exe, 00000000.00000002.370479632.0000000002CC1000.00000040.00000020.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: ameNewaPINGPOSTPathQEMUROOTH
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: kdsyitkxmS.exeBinary or memory string: popcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs
Source: kdsyitkxmS.exeBinary or memory string: arecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAll
Source: kdsyitkxmS.exe, 00000005.00000002.622638811.0000000000EA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\vmci
Source: kdsyitkxmS.exe, 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: 11VBoxSFWINDIRWD
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C00E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray.exevboxservice.exesmss.exevboxtray.exevboxservice.execsrss.exevboxtray.exevboxservice.exewininit.exevboxtray.exevboxservice.execsrss.exevboxtray.exevboxservice.exewinlogon.exevboxtray.exevboxservice.exeservices.exevboxtray.exevboxservice.exelsass.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exedwm.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesihost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exectfmon.exevboxtray.exevboxservice.exeexplorer.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exedllhost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exeSearchUI.exesearchui.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exeHxTsr.exehxtsr.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exeWmiPrvSE.exewmiprvse.exevboxtray.exevboxservice.exedllhost.exevboxtray.exevboxservice.exeWmiPrvSE.exewmiprvse.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesgrmbroker.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exedwm.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exeSearchUI.exesearchui.exesvchost.exeHxTsr.exehxtsr.exesvchost.exeWmiPrvSE.exewmiprvse.exedllhost.exeWmiPrvSE.exewmiprvse.exesvchost.exesgrmbroker.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedllhost.exesvchost.exeWmiPrvSE.exewmiprvse.exesvchost.exesvchost.exekdsyitkxms.exeWmiPrvSE.exewmiprvse.exekdsyitkxms.exe$
Source: kdsyitkxmS.exeBinary or memory string: pclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C00E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDIRWTSGetActiveConsoleSessionIdWTSQuerySessionInformationWS-1-5-18CreateToolhelp32SnapshotRegistrysmss.exedwm.exeShellExperienceHost.exebackgroundTaskHost.exedwm.exeShellExperienceHost.exebackgroundTaskHost.exebackgroundTaskHost.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exevmhgfsvmmousevmxnetRegistrysmss.exedwm.exeShellExperienceHost.exebackgroundTaskHost.exebackgroundTaskHost.exedwm.exeShellExperienceHost.exebackgroundTaskHost.exebackgroundTaskHost.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exe
Source: kdsyitkxmS.exeBinary or memory string: sse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BE
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SystemCreateFileW[system process]systemregistryRegistrysmss.execsrss.exewininit.execsrss.exewinlogon.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesharedintapp.exesvchost.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exesharedintapp.exeWmiPrvSE.exewmiprvse.exesharedintapp.exesharedintapp.exekdsyitkxms.exesharedintapp.exe[system process]vmsrvc.exevmusrvc.exeSystemsystemvmsrvc.exevmusrvc.exeRegistryregistry$
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s|%s%s|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
Source: kdsyitkxmS.exe, 00000005.00000002.622638811.0000000000EA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\pipe\VBoxTrayIPC
Source: kdsyitkxmS.exeBinary or memory string: pi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= page
Source: kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: main.isRunningInsideVMWare
Source: kdsyitkxmS.exeBinary or memory string: myreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:
Source: kdsyitkxmS.exeBinary or memory string: hPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 1
Source: kdsyitkxmS.exeBinary or memory string: s5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= m
Source: kdsyitkxmS.exeBinary or memory string: rSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C19A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc.exe
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice.exe
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
Source: kdsyitkxmS.exe, 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: tVMSrvcs|!
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
Source: kdsyitkxmS.exeBinary or memory string: sbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ... exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray.exe
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
Source: kdsyitkxmS.exeBinary or memory string: ermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s
Source: kdsyitkxmS.exeBinary or memory string: yreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdo
Source: kdsyitkxmS.exeBinary or memory string: sse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.2500
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: kdsyitkxmS.exeBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthorities
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C00E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: [system process]vboxtray.exe
Source: kdsyitkxmS.exe, 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: &gt;&lt;'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
Source: kdsyitkxmS.exeBinary or memory string: sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--D
Source: kdsyitkxmS.exeBinary or memory string: WSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00 %+v m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4c
Source: kdsyitkxmS.exeBinary or memory string: eUnprocessable EntityWinmonProcessMonitor\\.\pipe\VBoxTrayIPC^.*\._Ctype_uint8_t$asn1: syntax error: assigned stream ID 0bad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpcertificate requiredchan send (nil chan)close of nil channe
Source: kdsyitkxmS.exeBinary or memory string: rdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying=
Source: kdsyitkxmS.exeBinary or memory string: t64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie$WINDIR% CPU (%03d %s%v: %#x, goid=, j0 = -nologo/delete19531252.5.4.32.5.4.5
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C00E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: exit status 1nehalemS-1-5-18kvmqemuvirtualpersoconsystemProcess32FirstW[system process]vboxtray.exevboxservice.exeProcess32NextWSystemvboxtray.exevboxservice.exeRegistryregistry$
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: systemvmsrvc.exe
Source: kdsyitkxmS.exeBinary or memory string: potency-Key\System32\drivers\\.\VBoxMiniRdrDN os/exec.Command(^.*\._Ctype_char$bad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecode server: %wdecryption faileddownloading
Source: kdsyitkxmS.exeBinary or memory string: expiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowsw
Source: kdsyitkxmS.exeBinary or memory string: 12SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs de
Source: kdsyitkxmS.exeBinary or memory string: releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
Source: kdsyitkxmS.exeBinary or memory string: mountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B
Source: kdsyitkxmS.exe, 00000000.00000002.370479632.0000000002CC1000.00000040.00000020.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: \\.\HGFS`
Source: kdsyitkxmS.exe, 00000000.00000002.369943446.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.622534920.0000000000E87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C192000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedllhost.exesvchost.exeWmiPrvSE.exesvchost.exesvchost.exeWmiPrvSE.execonhost.exeVBoxWddmVBoxMouseVBoxGuestVBoxServiceVBoxVideocsrss.exewininit.execsrss.exewinlogon.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeWmiPrvSE.execsrss.exewininit.execsrss.exewinlogon.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exeSearchUI.exesvchost.exeHxTsr.exesvchost.exeWmiPrvSE.exedllhost.exeWmiPrvSE.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedllhost.exesvchost.exeWmiPrvSE.exesvchost.exesvchost.exeWmiPrvSE.exemsvmmoufcsrss.exewininit.execsrss.exewinlogon.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exeWmiPrvSE.exexenevtchnALLUSERSPROFILE=C:\ProgramDataComSpec=C:\Windows\system32\cmd.exeHOMEDRIVE=C:ProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)
Source: kdsyitkxmS.exeBinary or memory string: lUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C00E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: c:\users\user\desktop\kdsyitkxms.exeintel(r) core(tm)2 cpu 6600 @ 2.40 ghzcsrss.exewininit.execsrss.exewinlogon.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exeSearchUI.exesvchost.exeHxTsr.exesvchost.exeWmiPrvSE.exedllhost.exeWmiPrvSE.exesvchost.exesvchost.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exectfmon.exeexplorer.exesvchost.exedllhost.exeSearchUI.exesvchost.exeHxTsr.exesvchost.exeWmiPrvSE.exedllhost.exeWmiPrvSE.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedllhost.exesvchost.exeWmiPrvSE.exesvchost.exesvchost.exeWmiPrvSE.exevmmemctlvmusbmousevmx_svga\\.\HGFS\\.\vmcicsrss.exewininit.execsrss.exewinlogon.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeAPPDATA=C:\Windows\system32\config\systemprofile\AppData\RoamingLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelC:\Windows\system32
Source: kdsyitkxmS.exe, 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: vmhgfsP
Source: kdsyitkxmS.exe, 00000005.00000002.622638811.0000000000EA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\HGFS
Source: kdsyitkxmS.exe, 00000005.00000003.434423584.0000000000EC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xenvdb?
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C19A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exexennetxennet6xensvcxenvdbC:\Windows\Sysnative\cmd.exeC:\Windows\Sysnative\cmd.exeC:\Windows\Sysnative\cmd.exePATHEXTCOMPUTERNAME=computerHOMEPATH=\Windows\system32NUMBER_OF_PROCESSORS=2PROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramW6432=C:\Program FilesPUBLIC=C:\Users\PublicUSERNAME=computer$
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C196000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: backgroundTaskHost.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exe\\.\pipe\VBoxMiniRdDN\\.\pipe\VBoxTrayIPCqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exeqcQjZshHHqTrSiOqQuc.exekdsyitkxmS.exekdsyitkxmS.exe\\.\VBoxGuest\\.\VBoxTrayIPC[System Process]kdsyitkxmS.exe[System Process]fontdrvhost.exefontdrvhost.exesmartscreen.exeSgrmBroker.exekdsyitkxmS.exe[System Process]fontdrvhost.exefontdrvhost.exekdsyitkxmS.exe.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC.com;.exe;.bat;.cmd;.vbs;.vbe;.js;.jse;.wsf;.wsh;.mscCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesDriverData=C:\Windows\System32\Drivers\DriverDataOS=Windows_NTPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCSystemDrive=C:USERPROFILE=C:\Windows\system32\config\systemprofileAPPDATA=C:\Windows\system32\config\systemprofile\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesDriverData=C:\Windows\System32\Drivers\DriverDataPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCUSERPROFILE=C:\Windows\system32\config\systemprofile
Source: powershell.exe, 0000000B.00000002.514376329.0000000005369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.473426279.0000000005BE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
Source: kdsyitkxmS.exeBinary or memory string: ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--
Source: kdsyitkxmS.exeBinary or memory string: bmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%
Source: kdsyitkxmS.exeBinary or memory string: ultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-languageadvertise erroragent is closedapplication/pdfasyncpreemptoffbad certificatebad trailer keybefore EfiGuardclass registredclient finishedcouldn't set AVcouldn't set sbdecode hash: %wdo
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
Source: kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
Source: kdsyitkxmS.exeBinary or memory string: bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (a
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetProcessTimessvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exespoolsv.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exedllhost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exeWmiPrvSE.exewmiprvse.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exesvchost.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exevboxservice.exevboxtray.exe
Source: kdsyitkxmS.exeBinary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservi
Source: kdsyitkxmS.exe, 00000005.00000002.631005151.000000000C186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: sharedintapp.exe[system process]vmsrvc.exe
Source: kdsyitkxmS.exeBinary or memory string: ianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd acceptactivechan<-closedcookiedirectdomai
Source: kdsyitkxmS.exeBinary or memory string: rayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\Def
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeCode function: 0_2_02CC10A3 push dword ptr fs:[00000030h]0_2_02CC10A3
Source: C:\Users\user\Desktop\kdsyitkxmS.exeCode function: 5_2_02B350A3 push dword ptr fs:[00000030h]5_2_02B350A3
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofileJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofileJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofileJump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofileJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yesJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Modifies the windows firewall
Source: C:\Users\user\Desktop\kdsyitkxmS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Source: C:\Users\user\Desktop\kdsyitkxmS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Yara detected Glupteba
Source: Yara matchFile source: 0.2.kdsyitkxmS.exe.30c0e67.14.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.kdsyitkxmS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.3.kdsyitkxmS.exe.39b0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.kdsyitkxmS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.3.kdsyitkxmS.exe.3820000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.kdsyitkxmS.exe.2f30e67.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 4652, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 3320, type: MEMORYSTR

Remote Access Functionality

barindex
Yara detected Glupteba
Source: Yara matchFile source: 0.2.kdsyitkxmS.exe.30c0e67.14.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.kdsyitkxmS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.3.kdsyitkxmS.exe.39b0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.kdsyitkxmS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.3.kdsyitkxmS.exe.3820000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.kdsyitkxmS.exe.2f30e67.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 4652, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: kdsyitkxmS.exe PID: 3320, type: MEMORYSTR

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts21
Windows Management Instrumentation		Path Interception11
Process Injection		111
Masquerading		1
Input Capture		131
Security Software Discovery		Remote Services1
Input Capture		Exfiltration Over Other Network Medium1
Proxy		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
Disable or Modify Tools		LSASS Memory41
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)41
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets12
System Information Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common2
Software Packing		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
File Deletion		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 877005 Sample: kdsyitkxmS.exe Startdate: 28/05/2023 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for domain / URL 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 5 other signatures 2->43 8 kdsyitkxmS.exe 13 2->8         started        process3 signatures4 45 Detected unpacking (changes PE section rights) 8->45 47 Detected unpacking (overwrites its own PE header) 8->47 49 Modifies the windows firewall 8->49 11 kdsyitkxmS.exe 8->11         started        13 powershell.exe 22 8->13         started        process5 process6 15 cmd.exe 1 11->15         started        18 powershell.exe 22 11->18         started        20 powershell.exe 23 11->20         started        22 powershell.exe 3 11->22         started        24 conhost.exe 13->24         started        signatures7 53 Uses netsh to modify the Windows network and firewall settings 15->53 26 netsh.exe 3 15->26         started        29 conhost.exe 15->29         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        process8 signatures9 51 Creates files in the system32 config directory 26->51

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
kdsyitkxmS.exe32%ReversingLabs
kdsyitkxmS.exe32%VirustotalBrowse
kdsyitkxmS.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.spidersoft.com)Wg0%Avira URL Cloudsafe
http://gais.cs.ccu.edu.tw/robot.php)Gulper0%URL Reputationsafe
http://devlog.gregarius.net/docs/ua)Links0%URL Reputationsafe
http://www.google.0%URL Reputationsafe
http://www.exabot.com/go/robot)Opera/9.800%URL Reputationsafe
http://www.googlebot.com/bot.html)Links0%URL Reputationsafe
http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.00%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency0%URL Reputationsafe
http://crl.g0%URL Reputationsafe
https://blockchain.infoindex0%URL Reputationsafe
https://duniadekho.barhttps://duniadekho.barRegQueryValueExWUUIDPGDSE64-bitc:0%Avira URL Cloudsafe
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:0%Avira URL Cloudsafe
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionS-1-5-21-3853321935-2125563209-0%Avira URL Cloudsafe
http://invalidlog.txtlookup0%Avira URL Cloudsafe
https://duniadekho.bar100%Avira URL Cloudmalware
http://grub.org)Mozilla/5.00%Avira URL Cloudsafe
https://duniadekho.bar20%VirustotalBrowse
https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize0%Avira URL Cloudsafe
http://www.bloglines.com)Frame0%Avira URL Cloudsafe
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion100%Avira URL Cloudmalware
https://go.microT0%Avira URL Cloudsafe
https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionCommonPro0%Avira URL Cloudsafe
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:0%Avira URL Cloudsafe
https://duniadekho.barMicrosoft0%Avira URL Cloudsafe
https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttps://d0%Avira URL Cloudsafe
http://https://_bad_pdb_file.pdb0%Avira URL Cloudsafe
https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion0%Avira URL Cloudsafe
https://duniadekho.barhttps://duniadekho.barRegQueryValueExWhttps://duniadekho.barUUIDUUIDPGDSEPGDSE0%Avira URL Cloudsafe
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://vcr4vuv4sf5233btfy7xboez0%Avira URL Cloudsafe
http://www.avantbrowser.com)MOT-V9mm/00.620%Avira URL Cloudsafe
http://localhost:3433/https://duniadekho.baridna:0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.spidersoft.com)WgkdsyitkxmS.exefalse
  • Avira URL Cloud: safe
low
http://yandex.com/kdsyitkxmS.exefalse
    		high
    https://duniadekho.barhttps://duniadekho.barRegQueryValueExWUUIDPGDSE64-bitc:kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C08E000.00000004.00001000.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://search.msn.com/msnbot.htm)net/httkdsyitkxmS.exefalse
      		high
      http://invalidlog.txtlookupkdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://gais.cs.ccu.edu.tw/robot.php)GulperkdsyitkxmS.exefalse
      • URL Reputation: safe
      		unknown
      https://duniadekho.barkdsyitkxmS.exe, 00000000.00000002.378631978.000000000C096000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C088000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C094000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C08E000.00000004.00001000.00020000.00000000.sdmptrue
      • 20%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0E4000.00000004.00001000.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://devlog.gregarius.net/docs/ua)LinkskdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.google.kdsyitkxmS.exefalse
      • URL Reputation: safe
      		unknown
      http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionS-1-5-21-3853321935-2125563209-kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0DA000.00000004.00001000.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://grub.org)Mozilla/5.0kdsyitkxmS.exefalse
      • Avira URL Cloud: safe
      		low
      https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsizekdsyitkxmS.exefalse
      • Avira URL Cloud: safe
      		unknown
      https://turnitin.com/robot/crawlerinfo.html)cannotkdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpfalse
        		high
        http://www.exabot.com/go/robot)Opera/9.80kdsyitkxmS.exefalse
        • URL Reputation: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000B.00000002.514376329.0000000005231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.622138820.00000000051F1000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.bloglines.com)FramekdsyitkxmS.exefalse
          • Avira URL Cloud: safe
          		low
          http://www.googlebot.com/bot.html)LinkskdsyitkxmS.exefalse
          • URL Reputation: safe
          		unknown
          http://search.msn.com/msnbot.htm)net/http:kdsyitkxmS.exe, 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpfalse
            		high
            http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0kdsyitkxmS.exefalse
            • URL Reputation: safe
            		unknown
            https://go.microTpowershell.exe, 0000000B.00000003.473426279.0000000005BE6000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.514376329.0000000005369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.490620541.0000000008071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.480261495.0000000008062000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionkdsyitkxmS.exe, 00000000.00000002.378631978.000000000C096000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.378631978.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0DA000.00000004.00001000.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.514376329.0000000005369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.490620541.0000000008071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.480261495.0000000008062000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.google.com/bot.html)crypto/ecdh:kdsyitkxmS.exefalse
                		high
                http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:kdsyitkxmS.exetrue
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-pkdsyitkxmS.exefalse
                  		high
                  http://search.msn.com/msnbot.htm)msnbot/1.1kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpfalse
                    		high
                    https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionCommonProkdsyitkxmS.exe, 00000000.00000002.378631978.000000000C0E6000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0E2000.00000004.00001000.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://duniadekho.barMicrosoftkdsyitkxmS.exe, 00000005.00000002.628942791.000000000C094000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C09C000.00000004.00001000.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.archive.org/details/archive.org_bot)Opera/9.80kdsyitkxmS.exefalse
                      		high
                      http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://yandex.com/bots)Opera/9.51kdsyitkxmS.exefalse
                          		high
                          https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttps://dkdsyitkxmS.exe, 00000000.00000002.378631978.000000000C096000.00000004.00001000.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.google.com/bot.html)Mozilla/5.0kdsyitkxmS.exefalse
                            		high
                            https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.514376329.0000000005369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.490620541.0000000008071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000003.480261495.0000000008062000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://https://_bad_pdb_file.pdbkdsyitkxmS.exe, 00000000.00000002.374126530.000000000378B000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.00000000035FB000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://archive.org/details/archive.org_bot)Mozilla/5.0kdsyitkxmS.exefalse
                                		high
                                https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionkdsyitkxmS.exe, 00000000.00000002.378631978.000000000C0E4000.00000004.00001000.00020000.00000000.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequencykdsyitkxmS.exefalse
                                • URL Reputation: safe
                                		unknown
                                http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JDkdsyitkxmS.exefalse
                                  		high
                                  http://www.avantbrowser.comkdsyitkxmS.exefalse
                                    		high
                                    https://duniadekho.barhttps://duniadekho.barRegQueryValueExWhttps://duniadekho.barUUIDUUIDPGDSEPGDSEkdsyitkxmS.exe, 00000000.00000002.378631978.000000000C088000.00000004.00001000.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.google.com/feedfetcher.html)HKLMkdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://cdn.discordapp.com/attachments/1087398815188910163/1087399133926674453/LZ.zipreflect.Value.IkdsyitkxmS.exefalse
                                        		high
                                        http://crl.gkdsyitkxmS.exe, 00000000.00000002.370479632.0000000002CC1000.00000040.00000020.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://blockchain.infoindexkdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.avantbrowser.com)MOT-V9mm/00.62kdsyitkxmS.exe, 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://vcr4vuv4sf5233btfy7xboezkdsyitkxmS.exe, 00000000.00000002.378631978.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.628942791.000000000C0DA000.00000004.00001000.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://localhost:3433/https://duniadekho.baridna:kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		low
                                        http://search.msn.com/msnbot.htm)pkcs7:kdsyitkxmS.exe, kdsyitkxmS.exe, 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kdsyitkxmS.exe, 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.alexa.com/help/webmasters;kdsyitkxmS.exefalse
                                            		high
                                            http://www.google.com/adsbot.html)EncounteredkdsyitkxmS.exefalse
                                              		high

                                              World Map of Contacted IPs

                                              No contacted IP infos

                                              General Information

                                              Joe Sandbox Version:37.1.0 Beryl
                                              Analysis ID:877005
                                              Start date and time:2023-05-28 11:18:06 +02:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 9s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:19
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample file name:kdsyitkxmS.exe
                                              Original Sample Name:01fe6ba28d82175d35665b3eb6ed8cea.exe
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@19/9@0/0
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:
                                              • Successful, ratio: 15.9% (good quality ratio 7.6%)
                                              • Quality average: 40.1%
                                              • Quality standard deviation: 44.2%
                                              HCA Information:
                                              • Successful, ratio: 67%
                                              • Number of executed functions: 4
                                              • Number of non-executed functions: 5
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, TrustedInstaller.exe
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              11:18:58API Interceptor7x Sleep call for process: kdsyitkxmS.exe modified
                                              11:19:01API Interceptor57x Sleep call for process: powershell.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):22112
                                              Entropy (8bit):5.458574769940964
                                              Encrypted:false
                                              SSDEEP:384:PtCRjm27UAxOi7wRSVud7KjrPs5a1QQ1O5SeK8vH4e60CUXrNpipUW:sT7NES6Uud7uPQPXP4JDup2
                                              MD5:3634790B93223C11F6823442769CD2DE
                                              SHA1:404532205A20742419AD10578C279EDC2655E951
                                              SHA-256:0363B7D8D80C958BB9C3449F9E6F6AD754B263FDE1530B4E916CB0F1C5FB58D1
                                              SHA-512:70F7A6D71319E0C59719D1D34F0D325F08F585274A95EA642B9D52C1BB02687767D86C7C79D34AD70F42C04396C65FF0AA452115594B782125B48E292C39E68B
                                              Malicious:false
                                              Preview:@...e...........P...............................................H...............<@.^.L."My...:I..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p030yzvi.tqg.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zon3rn2d.2u2.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):14734
                                              Entropy (8bit):4.993014478972177
                                              Encrypted:false
                                              SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                              MD5:8D5E194411E038C060288366D6766D3D
                                              SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                              SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                              SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                              Malicious:false
                                              Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                              C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):22096
                                              Entropy (8bit):5.598969772245669
                                              Encrypted:false
                                              SSDEEP:384:hYtCRvq0a9pk00X+p3eB4Exb9zFfjE8xea5cc7QQgSeFycB4Iz60vB0GpiOUB:uk0g4Exb5B5xTVqee4JkpO
                                              MD5:34C3603404E2348EB7B24B0F5E0B55D8
                                              SHA1:881BCB253515B12F17A11F8E35FE48AA1D38C8C0
                                              SHA-256:FC7B7585CDB3CF4601034A79EBE7993A18A4C3763AA9D4B0CDF850E2BE562A44
                                              SHA-512:EF1A4BAB154356C2224BEEF1B57B0462090072928B75A41B89FD69BB0D1C3BB234F8AFB27B59F933E4703352F5C3F9B1B8B8716454164DE74B67CDD4FEF2431D
                                              Malicious:false
                                              Preview:@...e...........L...........5.".".......4............@..........H...............<@.^.L."My...:I..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                              C:\Windows\Temp\__PSScriptPolicyTest_1depap5s.43l.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Windows\Temp\__PSScriptPolicyTest_fil3vomk.kwi.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Windows\Temp\__PSScriptPolicyTest_mfqj4tng.2eo.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Windows\Temp\__PSScriptPolicyTest_uyxuby1g.134.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.97472217525508
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:kdsyitkxmS.exe
                                              File size:4379008
                                              MD5:01fe6ba28d82175d35665b3eb6ed8cea
                                              SHA1:45748a6d6474f470d44e848596e0e08bce674996
                                              SHA256:626df082c2624d9530794881921094aa100fa0a805b1544112d5a07dbe12cbc2
                                              SHA512:e1537b4ebf7dd9cf345b0f8c0646de1df1152469151b43cc8c08370eb3c40393940598de98a11e47c9810d891942f385f7c6cb9ad4470a3c8941961b2a98247b
                                              SSDEEP:98304:/RKU80KHe0iz3Dt6Ds6DV8G66EjKN69i5SvbFOqRrLfO2FnC86:/4e0i7Dt6XDGG/EjKN6LjxdFnC86
                                              TLSH:BB162313A3A1BD54E9564BB39F2F92F8776EB6708F143755311DBA1B08B02B2C263B11
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...|.......|.......|...H...EX..k...b.......|...c...|...c...|...c...Richb...................PE..L......a...........

                                              File Icon

                                              Icon Hash:454549495545611d

                                              Static PE Info

                                              General

                                              Entrypoint:0x404e59
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                              Time Stamp:0x61AADEB8 [Sat Dec 4 03:21:28 2021 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:0
                                              File Version Major:5
                                              File Version Minor:0
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:0
                                              Import Hash:2d9ed3462f8a74bfd1231e2e9de56b43

                                              Authenticode Signature

                                              Signature Valid:false
                                              Signature Issuer:CN=522a29533d3f200e2d1728300c141021081631313626321023042b113f2d26353224, PostalCode=10802, S=0b1c1115005f5c4e11160b0a090100180d1c4f170217 + S=0b1c1115494a5c17161151151d135100034653465007170e1c520b071c040f0f5216050f1244171f0b110e04061211081e0347124308570a1e0c0b19560a055b0c0b0a070b
                                              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                              Error Number:-2146762487
                                              Not Before, Not After
                                              • 5/28/2023 1:13:44 AM 5/27/2024 1:13:44 AM
                                              Subject Chain
                                              • CN=522a29533d3f200e2d1728300c141021081631313626321023042b113f2d26353224, PostalCode=10802, S=0b1c1115005f5c4e11160b0a090100180d1c4f170217 + S=0b1c1115494a5c17161151151d135100034653465007170e1c520b071c040f0f5216050f1244171f0b110e04061211081e0347124308570a1e0c0b19560a055b0c0b0a070b
                                              Version:3
                                              Thumbprint MD5:FA499CD6C5F7A74F5A748B778F305AE3
                                              Thumbprint SHA-1:FF3C70A0D6A66705568453AA262257D22183BCA7
                                              Thumbprint SHA-256:F96E2C83FF581F02D48E26B51B960B61592EE9B397B86A2A3A604587ABC9D0B4
                                              Serial:10F68FF5E99D28F7644E5B17DA75165E

                                              Entrypoint Preview

                                              Instruction
                                              call 00007F5C50D96D73h
                                              jmp 00007F5C50D9240Dh
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              mov ecx, dword ptr [esp+04h]
                                              test ecx, 00000003h
                                              je 00007F5C50D925B6h
                                              mov al, byte ptr [ecx]
                                              add ecx, 01h
                                              test al, al
                                              je 00007F5C50D925E0h
                                              test ecx, 00000003h
                                              jne 00007F5C50D92581h
                                              add eax, 00000000h
                                              lea esp, dword ptr [esp+00000000h]
                                              lea esp, dword ptr [esp+00000000h]
                                              mov eax, dword ptr [ecx]
                                              mov edx, 7EFEFEFFh
                                              add edx, eax
                                              xor eax, FFFFFFFFh
                                              xor eax, edx
                                              add ecx, 04h
                                              test eax, 81010100h
                                              je 00007F5C50D9257Ah
                                              mov eax, dword ptr [ecx-04h]
                                              test al, al
                                              je 00007F5C50D925C4h
                                              test ah, ah
                                              je 00007F5C50D925B6h
                                              test eax, 00FF0000h
                                              je 00007F5C50D925A5h
                                              test eax, FF000000h
                                              je 00007F5C50D92594h
                                              jmp 00007F5C50D9255Fh
                                              lea eax, dword ptr [ecx-01h]
                                              mov ecx, dword ptr [esp+04h]
                                              sub eax, ecx
                                              ret
                                              lea eax, dword ptr [ecx-02h]
                                              mov ecx, dword ptr [esp+04h]
                                              sub eax, ecx
                                              ret
                                              lea eax, dword ptr [ecx-03h]
                                              mov ecx, dword ptr [esp+04h]
                                              sub eax, ecx
                                              ret
                                              lea eax, dword ptr [ecx-04h]
                                              mov ecx, dword ptr [esp+04h]
                                              sub eax, ecx
                                              ret
                                              mov edi, edi
                                              push ebp
                                              mov ebp, esp
                                              sub esp, 20h
                                              mov eax, dword ptr [ebp+08h]
                                              push esi
                                              push edi
                                              push 00000008h
                                              pop ecx
                                              mov esi, 004012D8h
                                              lea edi, dword ptr [ebp-20h]
                                              rep movsd
                                              mov dword ptr [ebp-08h], eax
                                              mov eax, dword ptr [ebp+0Ch]
                                              pop edi
                                              mov dword ptr [ebp-04h], eax
                                              pop esi

                                              Rich Headers

                                              Programming Language:
                                              • [ASM] VS2008 build 21022
                                              • [ C ] VS2008 build 21022
                                              • [C++] VS2008 build 21022
                                              • [IMP] VS2005 build 50727
                                              • [RES] VS2008 build 21022
                                              • [LNK] VS2008 build 21022

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x40b8280x64.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x6530000x19398.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x42c6000xb80.data
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x9150000xddc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x12200x1c.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x31500x40.text
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d4.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x40b2ea0x40b400unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .data0x40d0000x2458440x1e00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x6530000x2c13980x19400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x9150000x5a160x5c00False0.12958559782608695data1.558620115158612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0x6537300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
                                              RT_ICON0x6545d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                              RT_ICON0x654e800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
                                              RT_ICON0x6574280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                              RT_ICON0x6584d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
                                              RT_ICON0x6589880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
                                              RT_ICON0x6598300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                              RT_ICON0x65a0d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
                                              RT_ICON0x65a6400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
                                              RT_ICON0x65cbe80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                              RT_ICON0x65dc900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0
                                              RT_ICON0x65e6180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
                                              RT_ICON0x65eae80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
                                              RT_ICON0x65f9900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                              RT_ICON0x6602380x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0
                                              RT_ICON0x6609000x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
                                              RT_ICON0x660e680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
                                              RT_ICON0x6634100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                              RT_ICON0x6644b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
                                              RT_ICON0x6649880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
                                              RT_ICON0x6658300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                              RT_ICON0x6660d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
                                              RT_ICON0x6666400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
                                              RT_ICON0x668be80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                              RT_ICON0x669c900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0
                                              RT_ICON0x66a6180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
                                              RT_STRING0x66ad200x664data
                                              RT_STRING0x66b3880x59edata
                                              RT_STRING0x66b9280x29adata
                                              RT_STRING0x66bbc80x248data
                                              RT_STRING0x66be100x582data
                                              RT_GROUP_ICON0x66aa800x68data
                                              RT_GROUP_ICON0x6589380x4cdata
                                              RT_GROUP_ICON0x6649200x68data
                                              RT_GROUP_ICON0x65ea800x68data
                                              RT_VERSION0x66aae80x238data

                                              Imports

                                              DLLImport
                                              KERNEL32.dllGetModuleHandleW, IsBadReadPtr, GetConsoleAliasesLengthA, WaitForMultipleObjectsEx, GetPrivateProfileIntA, FreeConsole, GetVersionExW, WritePrivateProfileStructW, MulDiv, GetModuleFileNameW, CreateActCtxA, WritePrivateProfileStringW, ReplaceFileA, GetStringTypeExA, GetStdHandle, GetLogicalDriveStringsA, OpenMutexW, GetLastError, ReadConsoleOutputCharacterA, GetProcAddress, AttachConsole, SleepEx, VirtualAlloc, _hwrite, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, GetFileType, CreateFileMappingW, FindFirstVolumeMountPointW, GetNumberFormatW, CreateEventW, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, CreateMutexA, GetFileAttributesExW, GetConsoleCursorInfo, ScrollConsoleScreenBufferA, GetCurrentThreadId, FindAtomW, EnumResourceLanguagesW, DebugBreak, FindNextVolumeA, AddConsoleAliasW, CancelWaitableTimer, GetCommState, WaitForSingleObject, GetLongPathNameA, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, WideCharToMultiByte, SetHandleCount, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, CreateFileA, CloseHandle
                                              USER32.dllCharLowerBuffA
                                              GDI32.dllGetCharWidthW, EnumFontsW, GetCharABCWidthsFloatW
                                              ADVAPI32.dllMapGenericMask

                                              Network Behavior

                                              No network behavior found

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:11:18:56
                                              Start date:28/05/2023
                                              Path:C:\Users\user\Desktop\kdsyitkxmS.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\kdsyitkxmS.exe
                                              Imagebase:0x400000
                                              File size:4379008 bytes
                                              MD5 hash:01FE6BA28D82175D35665B3EB6ED8CEA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.374126530.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Florian Roth (Nextron Systems)
                                              • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000000.00000003.353503298.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.370479632.0000000002CC1000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000000.00000002.374126530.0000000003503000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000000.00000003.353503298.0000000003DF1000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Target ID:1
                                              Start time:11:18:59
                                              Start date:28/05/2023
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:powershell -nologo -noprofile
                                              Imagebase:0xb40000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              General

                                              Target ID:2
                                              Start time:11:18:59
                                              Start date:28/05/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff745070000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:5
                                              Start time:11:19:03
                                              Start date:28/05/2023
                                              Path:C:\Users\user\Desktop\kdsyitkxmS.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\kdsyitkxmS.exe
                                              Imagebase:0x400000
                                              File size:4379008 bytes
                                              MD5 hash:01FE6BA28D82175D35665B3EB6ED8CEA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000005.00000003.368338557.0000000003820000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                              • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Florian Roth (Nextron Systems)
                                              • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000005.00000003.368338557.0000000003C61000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000005.00000002.624452357.0000000003373000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.624452357.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low

                                              General

                                              Target ID:6
                                              Start time:11:19:05
                                              Start date:28/05/2023
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:powershell -nologo -noprofile
                                              Imagebase:0x7ff745070000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              General

                                              Target ID:7
                                              Start time:11:19:06
                                              Start date:28/05/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff745070000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:8
                                              Start time:11:19:10
                                              Start date:28/05/2023
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                              Imagebase:0x7ff707bb0000
                                              File size:273920 bytes
                                              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:9
                                              Start time:11:19:10
                                              Start date:28/05/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff745070000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:10
                                              Start time:11:19:10
                                              Start date:28/05/2023
                                              Path:C:\Windows\System32\netsh.exe
                                              Wow64 process (32bit):false
                                              Commandline:netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                              Imagebase:0x7ff762f70000
                                              File size:92672 bytes
                                              MD5 hash:98CC37BBF363A38834253E22C80A8F32
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              General

                                              Target ID:11
                                              Start time:11:19:11
                                              Start date:28/05/2023
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:powershell -nologo -noprofile
                                              Imagebase:0xb40000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET

                                              General

                                              Target ID:12
                                              Start time:11:19:11
                                              Start date:28/05/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff745070000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:15
                                              Start time:11:20:14
                                              Start date:28/05/2023
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:powershell -nologo -noprofile
                                              Imagebase:0xb40000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET

                                              General

                                              Target ID:16
                                              Start time:11:20:14
                                              Start date:28/05/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff745070000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:5.7%
                                                Dynamic/Decrypted Code Coverage:92.3%
                                                Signature Coverage:46.2%
                                                Total number of Nodes:13
                                                Total number of Limit Nodes:0
                                                execution_graph 671 2cc1000 674 2cc1026 671->674 675 2cc1035 674->675 678 2cc17c6 675->678 680 2cc17e1 678->680 679 2cc17ea CreateToolhelp32Snapshot 679->680 681 2cc1806 Module32First 679->681 680->679 680->681 682 2cc1815 681->682 684 2cc1025 681->684 685 2cc1485 682->685 686 2cc14b0 685->686 687 2cc14c1 VirtualAlloc 686->687 688 2cc14f9 686->688 687->688

                                                Executed Functions

                                                Function 02CC17C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02CC17EE
                                                • Module32First.KERNEL32(00000000,00000224), ref: 02CC180E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.370479632.0000000002CC1000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CC1000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2cc1000_kdsyitkxmS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 3833638111-0
                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                • Instruction ID: af87a580a40f9d5485918974bfe4f97cb61349ec856aeed7894f186f30c07cd7
                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                • Instruction Fuzzy Hash: 9EF096362007146FD7203BF6A88DB6E76E8AF89629F34052CE64AD10C1DBB0E9464A61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02CC1485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 13 2cc1485-2cc14bf call 2cc1798 16 2cc150d 13->16 17 2cc14c1-2cc14f4 VirtualAlloc call 2cc1512 13->17 16->16 19 2cc14f9-2cc150b 17->19 19->16
                                                APIs
                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02CC14D6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.370479632.0000000002CC1000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CC1000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2cc1000_kdsyitkxmS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                • Instruction ID: fbb570b06a82da6ba7e398ee8d49c65854d3a0997495e32fc848a3cd8fd81726
                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                • Instruction Fuzzy Hash: EE113F79A00208EFDB01DF99C985E99BBF5AF08351F198094F9499B362D371EA50EF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 02CC10A3 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.370479632.0000000002CC1000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CC1000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2cc1000_kdsyitkxmS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                • Instruction ID: dde7b548207486a83ec9d7e07c9cf9cad19eb7a6547465ea99b7d22d03168d7d
                                                • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                • Instruction Fuzzy Hash: FC1152723401019FD754DF56DC81FA673EAEB89370B298169ED08CB316D6B9E842C760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00433840 Relevance: 12.7, Strings: 10, Instructions: 172COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not, xrefs: 00433B27
                                                • CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return, xrefs: 00433B00
                                                • ,/=MOScghsw ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nso, xrefs: 00433A05
                                                • %, xrefs: 00433B64
                                                • runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state , xrefs: 00433ACC
                                                • runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st, xrefs: 00433B5B
                                                • runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g , xrefs: 004339DB
                                                • VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu, xrefs: 00433AA5
                                                • bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t, xrefs: 00433A4A
                                                • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00433A71
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.367355865.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000CEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_kdsyitkxmS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: %$,/=MOScghsw ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nso$CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return$VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu$bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g
                                                • API String ID: 0-4242833809
                                                • Opcode ID: 20aabe7c57ed713dc53ab7133c1b5dcc0a19f10a37ebecd0e135bd91beed50a2
                                                • Instruction ID: 6fcaa64efd58217ac080efa4f8a4c21e0b10e2ac8e385373cc371b92e99f24cd
                                                • Opcode Fuzzy Hash: 20aabe7c57ed713dc53ab7133c1b5dcc0a19f10a37ebecd0e135bd91beed50a2
                                                • Instruction Fuzzy Hash: 1C81DDB45097018FD700EF66C18575AFBE0BF88708F41992EF4988B382EB789945CF5A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00443890 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                • releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog, xrefs: 00443929
                                                • releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip, xrefs: 004439E1
                                                • p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req, xrefs: 00443997
                                                • m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr, xrefs: 0044394B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.367355865.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.367355865.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000ACC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000CEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.367355865.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_kdsyitkxmS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr$ p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req$releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip$releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
                                                • API String ID: 0-3530339137
                                                • Opcode ID: 18ff348ea480f71f0e9291ba3290351b9b9186a0794f92d72d7edbbc36906a29
                                                • Instruction ID: a139eb32645f21f9645e61bdd39f90aa6502d33d9f1d094d0c3f5a4a73e01cc9
                                                • Opcode Fuzzy Hash: 18ff348ea480f71f0e9291ba3290351b9b9186a0794f92d72d7edbbc36906a29
                                                • Instruction Fuzzy Hash: 6E31EFB45087018FD700EF25C185B1AFBE0BF88708F45886EF48887352D7789988CBAA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:5.6%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:12
                                                Total number of Limit Nodes:1
                                                execution_graph 672 2b35026 673 2b35035 672->673 676 2b357c6 673->676 677 2b357e1 676->677 678 2b357ea CreateToolhelp32Snapshot 677->678 679 2b35806 Module32First 677->679 678->677 678->679 680 2b35815 679->680 682 2b3503e 679->682 683 2b35485 680->683 684 2b354b0 683->684 685 2b354c1 VirtualAlloc 684->685 686 2b354f9 684->686 685->686 686->686

                                                Executed Functions

                                                Function 02B357C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02B357EE
                                                • Module32First.KERNEL32(00000000,00000224), ref: 02B3580E
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B35000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_2b35000_kdsyitkxmS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 3833638111-0
                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                • Instruction ID: 8f0cc015f9a7b4c535f91278c23cc2094b734c59f790914824e5c91004f8dfd4
                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                • Instruction Fuzzy Hash: 3BF09631200710BFD7313FF9A88DBAE76E8EF4D625F500568E642920C0DB70F8454B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02B35485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 13 2b35485-2b354bf call 2b35798 16 2b354c1-2b354f4 VirtualAlloc call 2b35512 13->16 17 2b3550d 13->17 19 2b354f9-2b3550b 16->19 17->17 19->17
                                                APIs
                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02B354D6
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.622953381.0000000002B35000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B35000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_2b35000_kdsyitkxmS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                • Instruction ID: 2487ffd585daf5a0a63afcb526055875ca5c1f0c9e14a60ec0dc537133d91900
                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                • Instruction Fuzzy Hash: 74112B79A00208EFDB01DF98C985E99BBF5AF08350F468094F9489B362D371EA90DF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00433840 Relevance: 12.7, Strings: 10, Instructions: 172COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                • VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu, xrefs: 00433AA5
                                                • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not, xrefs: 00433B27
                                                • runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st, xrefs: 00433B5B
                                                • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00433A71
                                                • runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state , xrefs: 00433ACC
                                                • ,/=MOScghsw ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nso, xrefs: 00433A05
                                                • CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return, xrefs: 00433B00
                                                • runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g , xrefs: 004339DB
                                                • %, xrefs: 00433B64
                                                • bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t, xrefs: 00433A4A
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.619390815.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000CEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_kdsyitkxmS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: %$,/=MOScghsw ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nso$CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return$VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu$bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g
                                                • API String ID: 0-4242833809
                                                • Opcode ID: 20aabe7c57ed713dc53ab7133c1b5dcc0a19f10a37ebecd0e135bd91beed50a2
                                                • Instruction ID: 6fcaa64efd58217ac080efa4f8a4c21e0b10e2ac8e385373cc371b92e99f24cd
                                                • Opcode Fuzzy Hash: 20aabe7c57ed713dc53ab7133c1b5dcc0a19f10a37ebecd0e135bd91beed50a2
                                                • Instruction Fuzzy Hash: 1C81DDB45097018FD700EF66C18575AFBE0BF88708F41992EF4988B382EB789945CF5A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00443890 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                • releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip, xrefs: 004439E1
                                                • releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog, xrefs: 00443929
                                                • p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req, xrefs: 00443997
                                                • m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr, xrefs: 0044394B
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.619390815.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.619390815.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000ACC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000CCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000CD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000CEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000005.00000002.619390815.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_kdsyitkxmS.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr$ p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req$releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip$releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
                                                • API String ID: 0-3530339137
                                                • Opcode ID: 18ff348ea480f71f0e9291ba3290351b9b9186a0794f92d72d7edbbc36906a29
                                                • Instruction ID: a139eb32645f21f9645e61bdd39f90aa6502d33d9f1d094d0c3f5a4a73e01cc9
                                                • Opcode Fuzzy Hash: 18ff348ea480f71f0e9291ba3290351b9b9186a0794f92d72d7edbbc36906a29
                                                • Instruction Fuzzy Hash: 6E31EFB45087018FD700EF25C185B1AFBE0BF88708F45886EF48887352D7789988CBAA
                                                Uniqueness

                                                Uniqueness Score: -1.00%