Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7KlNbK2xkt.exe

Overview

General Information

Sample name:7KlNbK2xkt.exe
renamed because original name is a hash value
Original sample name:88005bd682544ea46a7d19be17f034cce2495baeab462956858b0689a8f702da.exe
Analysis ID:1584309
MD5:ca9f0f2dda1cb0439275f6d975dabcf4
SHA1:2a8515d75c6d70f25669623adb0e2d949caff86b
SHA256:88005bd682544ea46a7d19be17f034cce2495baeab462956858b0689a8f702da
Tags:exeuser-zhuzhu0009
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses a Windows Living Off The Land Binaries (LOL bins)

Classification

Process Tree

  • System is w10x64
  • 7KlNbK2xkt.exe (PID: 1868 cmdline: "C:\Users\user\Desktop\7KlNbK2xkt.exe" MD5: CA9F0F2DDA1CB0439275F6D975DABCF4)
    • cmd.exe (PID: 2332 cmdline: /c ipconfig /flushdns MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ipconfig.exe (PID: 2340 cmdline: ipconfig /flushdns MD5: 62F170FB07FDBB79CEB7147101406EB8)
    • cmd.exe (PID: 3700 cmdline: /c netsh interface ip delete arpcache MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 2768 cmdline: netsh interface ip delete arpcache MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
    • cmd.exe (PID: 4128 cmdline: /c certutil -URLCache * delete MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 5620 cmdline: certutil -URLCache * delete MD5: F17616EC0522FC5633151F7CAA278CAA)
    • cmd.exe (PID: 7104 cmdline: /c netsh int ip reset MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 3404 cmdline: netsh int ip reset MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
    • cmd.exe (PID: 6108 cmdline: /c netsh int ipv4 reset MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 5904 cmdline: netsh int ipv4 reset MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
    • cmd.exe (PID: 4300 cmdline: /c netsh int ipv6 reset MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 4040 cmdline: netsh int ipv6 reset MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
    • cmd.exe (PID: 4568 cmdline: /c netsh winsock reset MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 3344 cmdline: netsh winsock reset MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
    • cmd.exe (PID: 4124 cmdline: /c ping -w 250 -n 1 144.217.123.198 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 2852 cmdline: ping -w 250 -n 1 144.217.123.198 MD5: 2F46799D79D22AC72C241EC0322B011D)
    • cmd.exe (PID: 3120 cmdline: /c ping -w 250 -n 1 144.217.123.200 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 2740 cmdline: ping -w 250 -n 1 144.217.123.200 MD5: 2F46799D79D22AC72C241EC0322B011D)
    • cmd.exe (PID: 5616 cmdline: /c ping -w 250 -n 1 144.217.123.202 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 4476 cmdline: ping -w 250 -n 1 144.217.123.202 MD5: 2F46799D79D22AC72C241EC0322B011D)
    • cmd.exe (PID: 3552 cmdline: /c ping -w 250 -n 1 144.217.153.89 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 5316 cmdline: ping -w 250 -n 1 144.217.153.89 MD5: 2F46799D79D22AC72C241EC0322B011D)
    • cmd.exe (PID: 3772 cmdline: /c ping -w 250 -n 1 144.217.153.92 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 2220 cmdline: ping -w 250 -n 1 144.217.153.92 MD5: 2F46799D79D22AC72C241EC0322B011D)
    • cmd.exe (PID: 6872 cmdline: /c ping -w 250 -n 1 192.95.19.137 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 4424 cmdline: ping -w 250 -n 1 192.95.19.137 MD5: 2F46799D79D22AC72C241EC0322B011D)
    • cmd.exe (PID: 4200 cmdline: /c ping -w 250 -n 1 192.99.98.193 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 4152 cmdline: ping -w 250 -n 1 192.99.98.193 MD5: 2F46799D79D22AC72C241EC0322B011D)
    • cmd.exe (PID: 3608 cmdline: /c ping -w 250 -n 1 192.95.20.7 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 4536 cmdline: ping -w 250 -n 1 192.95.20.7 MD5: 2F46799D79D22AC72C241EC0322B011D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 7KlNbK2xkt.exeVirustotal: Detection: 22%Perma Link
Source: 7KlNbK2xkt.exeReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: 7KlNbK2xkt.exeJoe Sandbox ML: detected
Source: Binary string: E:\Server (QC)\Loader\x64\Release\Loader.pdbd source: 7KlNbK2xkt.exe, 00000000.00000003.1426963576.000001FF96260000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\Server (QC)\Loader\x64\Release\Loader.pdb source: 7KlNbK2xkt.exe, 00000000.00000003.1426963576.000001FF96260000.00000004.00001000.00020000.00000000.sdmp

Networking

barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.198
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuN
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEn
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=10337LMEM
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.cssLMEM
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.jsLME
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.jsLMEM
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=13164f2a9ee6956f1439

System Summary

barindex
PE file contains section with special chars
Source: 7KlNbK2xkt.exeStatic PE information: section name:
Source: 7KlNbK2xkt.exeStatic PE information: section name:
Source: 7KlNbK2xkt.exeStatic PE information: section name:
Source: 7KlNbK2xkt.exeStatic PE information: section name:
Source: 7KlNbK2xkt.exeStatic PE information: section name:
Source: 7KlNbK2xkt.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeFile created: C:\Windows\appcompat\Programs\Amcache.hveJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeFile deleted: C:\Windows\Prefetch\cadrespri.7dbJump to behavior
Source: 7KlNbK2xkt.exeStatic PE information: Number of sections : 13 > 10
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -URLCache * delete
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -URLCache * deleteJump to behavior
Source: 7KlNbK2xkt.exeStatic PE information: Section: ZLIB complexity 0.9983488943292371
Source: 7KlNbK2xkt.exeStatic PE information: Section: ZLIB complexity 0.9916797551993067
Source: 7KlNbK2xkt.exeStatic PE information: Section: ZLIB complexity 0.9966264204545454
Source: 7KlNbK2xkt.exeStatic PE information: Section: ZLIB complexity 0.9960575810185185
Source: 7KlNbK2xkt.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
Source: classification engineClassification label: mal100.troj.evad.winEXE@75/5@0/8
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1384:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_03
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 7KlNbK2xkt.exeVirustotal: Detection: 22%
Source: 7KlNbK2xkt.exeReversingLabs: Detection: 23%
Source: unknownProcess created: C:\Users\user\Desktop\7KlNbK2xkt.exe "C:\Users\user\Desktop\7KlNbK2xkt.exe"
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ipconfig /flushdns
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /flushdns
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c netsh interface ip delete arpcache
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh interface ip delete arpcache
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c certutil -URLCache * delete
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -URLCache * delete
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c netsh int ip reset
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh int ip reset
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c netsh int ipv4 reset
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh int ipv4 reset
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c netsh int ipv6 reset
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh int ipv6 reset
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c netsh winsock reset
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh winsock reset
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 144.217.123.198
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.198
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 144.217.123.200
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.200
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 144.217.123.202
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.202
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 144.217.153.89
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.153.89
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 144.217.153.92
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.153.92
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 192.95.19.137
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.95.19.137
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 192.99.98.193
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.99.98.193
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 192.95.20.7
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.95.20.7
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ipconfig /flushdnsJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c netsh interface ip delete arpcacheJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c certutil -URLCache * deleteJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c netsh int ip resetJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c netsh int ipv4 resetJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c netsh int ipv6 resetJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c netsh winsock resetJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 144.217.123.198Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 144.217.123.200Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 144.217.123.202Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 144.217.153.89Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 192.95.19.137Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 192.99.98.193Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess created: C:\Windows\System32\cmd.exe /c ping -w 250 -n 1 192.95.20.7Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /flushdnsJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh interface ip delete arpcacheJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -URLCache * deleteJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh int ip resetJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh int ipv4 resetJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh int ipv6 resetJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh winsock resetJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.198Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.200Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.202Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.153.89Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.153.92Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.95.19.137Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.99.98.193Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.95.20.7Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: certcli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cryptui.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: certca.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\certutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 7KlNbK2xkt.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 7KlNbK2xkt.exeStatic file information: File size 19278864 > 1048576
Source: 7KlNbK2xkt.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x10d2600
Source: Binary string: E:\Server (QC)\Loader\x64\Release\Loader.pdbd source: 7KlNbK2xkt.exe, 00000000.00000003.1426963576.000001FF96260000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\Server (QC)\Loader\x64\Release\Loader.pdb source: 7KlNbK2xkt.exe, 00000000.00000003.1426963576.000001FF96260000.00000004.00001000.00020000.00000000.sdmp
Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
Source: 7KlNbK2xkt.exeStatic PE information: section name:
Source: 7KlNbK2xkt.exeStatic PE information: section name:
Source: 7KlNbK2xkt.exeStatic PE information: section name:
Source: 7KlNbK2xkt.exeStatic PE information: section name:
Source: 7KlNbK2xkt.exeStatic PE information: section name:
Source: 7KlNbK2xkt.exeStatic PE information: section name:
Source: 7KlNbK2xkt.exeStatic PE information: section name: .themida
Source: 7KlNbK2xkt.exeStatic PE information: section name: .boot
Source: 7KlNbK2xkt.exeStatic PE information: section name: entropy: 7.9859216384168565

Persistence and Installation Behavior

barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /flushdns

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TPM\WMIJump to behavior
Source: C:\Windows\System32\netsh.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9Jump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSystem information queried: FirmwareTableInformationJump to behavior
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSection loaded: OutputDebugStringW count: 650
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.198
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.200
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.202
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.153.89
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.153.92
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.95.19.137
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.99.98.193
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.95.20.7
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.198Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.200Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.202Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.153.89Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.153.92Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.95.19.137Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.99.98.193Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.95.20.7Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeWindow / User API: threadDelayed 796Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeWindow / User API: threadDelayed 1508Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeWindow / User API: threadDelayed 768Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeWindow / User API: threadDelayed 683Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeWindow / User API: threadDelayed 353Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeWindow / User API: threadDelayed 974Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeWindow / User API: threadDelayed 1342Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeWindow / User API: threadDelayed 367Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeWindow / User API: threadDelayed 559Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeWindow / User API: threadDelayed 739Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exe TID: 2156Thread sleep time: -122000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exe TID: 2332Thread sleep time: -76500s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeProcess queried: DebugPortJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtCreateThreadEx: Direct from: 0x7FF6E687A0F7Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtMapViewOfSection: Direct from: 0x7FF6E687C03CJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQueryValueKey: Direct from: 0x7FF6E685F5D9Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtClose: Direct from: 0x7FF6E685F786
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtSetValueKey: Direct from: 0x7FF6E685F589Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtUnmapViewOfSection: Direct from: 0x7FF6E687AB4EJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQuerySystemInformation: Indirect: 0x7FF6E8547D20Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtAllocateVirtualMemory: Direct from: 0x7FFBCB784B5EJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtClose: Direct from: 0x7FF6E687BE46
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtSetValueKey: Direct from: 0x7FF6E685F53EJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtDeviceIoControlFile: Direct from: 0x7FF6E8965EDFJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQueryInformationProcess: Direct from: 0x7FF6E687AE74Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtDeviceIoControlFile: Direct from: 0x7FF6E68CF111Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQuerySystemInformation: Direct from: 0x7FF6E89D1323Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQuerySystemInformation: Direct from: 0x7FFBCB7626A1Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtClose: Direct from: 0x7FF6E89A55A9
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQueryValueKey: Direct from: 0x7FF6E685F6CBJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtDeviceIoControlFile: Direct from: 0x7FF6E68CF08CJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtDeviceIoControlFile: Direct from: 0x7FF6E899A82CJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtClose: Direct from: 0x7FF6E687AAC1
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtMapViewOfSection: Direct from: 0x7FF6E687BE34Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtSetContextThread: Direct from: 0x7FF6E687A3F4Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtCreateMutant: Direct from: 0x7FF6E6888E86Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQueryValueKey: Direct from: 0x7FF6E89B4416Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQueryInformationProcess: Direct from: 0x7FF6E6879FC5Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQueryInformationProcess: Direct from: 0x7FF6E89BD349Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQuerySystemInformation: Direct from: 0x7FF6E6879F2CJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtCreateFile: Direct from: 0x7FF6E687AFC5Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtClose: Direct from: 0x7FF6E685F325
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtCreateThreadEx: Direct from: 0x7FF6E893CDBFJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQueryValueKey: Direct from: 0x7FF6E89AF5F1Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtDeviceIoControlFile: Direct from: 0x7FF6E8997493Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQuerySystemInformation: Direct from: 0x7FF6E687AA9FJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtSetInformationThread: Direct from: 0x7FF6E68897EEJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtSetValueKey: Direct from: 0x7FF6E89CFEB3Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQueryInformationProcess: Indirect: 0x7FF6E857C333Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtUnmapViewOfSection: Direct from: 0x7FF6E687AAAFJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtOpenKeyEx: Direct from: 0x7FF6E899FDDFJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtSetInformationProcess: Direct from: 0x7FF6E6879E93Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtClose: Direct from: 0x7FF6E687C04E
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtAllocateVirtualMemory: Direct from: 0x7FF6E89ADEFEJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtClose: Direct from: 0x7FF6E687A229
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQuerySystemInformation: Direct from: 0x7FF6E684D34EJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQueryValueKey: Direct from: 0x7FF6E685EAF7Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtOpenSection: Direct from: 0x7FF6E685ED7DJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtOpenKeyEx: Direct from: 0x7FF6E685EAB2Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtCreateKey: Direct from: 0x7FF6E685F4EBJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtCreateThreadEx: Direct from: 0x7FF6E895126DJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtOpenKeyEx: Direct from: 0x7FF6E89D7252Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtClose: Direct from: 0x7FF6E8988A18
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtSetInformationThread: Indirect: 0x7FF6E8577101Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtProtectVirtualMemory: Direct from: 0x7FF6E896145FJump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtOpenKeyEx: Direct from: 0x7FF6E899B4B3Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtOpenKeyEx: Direct from: 0x7FF6E685F4A5Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeNtQueryInformationProcess: Indirect: 0x7FF6E859FFD3Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /flushdnsJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh interface ip delete arpcacheJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -URLCache * deleteJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh int ip resetJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh int ipv4 resetJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh int ipv6 resetJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh winsock resetJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.198Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.200Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.123.202Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.153.89Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 144.217.153.92Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.95.19.137Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.99.98.193Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -w 250 -n 1 192.95.20.7Jump to behavior
Source: C:\Users\user\Desktop\7KlNbK2xkt.exeQueries volume information: C:\Windows\appcompat\Programs\Amcache.hve VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh interface ip delete arpcache

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation2
Windows Service		2
Windows Service		1
Masquerading		OS Credential Dumping52
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		11
Process Injection		1
Disable or Modify Tools		LSASS Memory43
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Abuse Elevation Control Mechanism		43
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Abuse Elevation Control Mechanism		LSA Secrets1
Remote System Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Obfuscated Files or Information		Cached Domain Credentials2
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Software Packing		DCSync12
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
File Deletion		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1584309 Sample: 7KlNbK2xkt.exe Startdate: 05/01/2025 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for submitted file 2->52 54 Machine Learning detection for sample 2->54 56 PE file contains section with special chars 2->56 58 AI detected suspicious sample 2->58 7 7KlNbK2xkt.exe 3 1 2->7         started        process3 signatures4 60 Query firmware table information (likely to detect VMs) 7->60 62 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->62 64 Tries to delay execution (extensive OutputDebugStringW loop) 7->64 66 4 other signatures 7->66 10 cmd.exe 1 7->10         started        13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        17 12 other processes 7->17 process5 signatures6 68 Uses ping.exe to sleep 10->68 70 Uses ping.exe to check the status of other devices and networks 10->70 72 Uses netsh to modify the Windows network and firewall settings 10->72 74 Uses ipconfig to lookup or modify the Windows network settings 10->74 34 2 other processes 10->34 19 PING.EXE 1 13->19         started        22 conhost.exe 13->22         started        24 PING.EXE 1 15->24         started        26 conhost.exe 15->26         started        28 PING.EXE 1 17->28         started        30 PING.EXE 1 17->30         started        32 PING.EXE 1 17->32         started        36 21 other processes 17->36 process7 dnsIp8 38 144.217.123.200 OVHFR Canada 19->38 40 192.95.19.137 OVHFR Canada 24->40 42 144.217.123.198 OVHFR Canada 28->42 44 144.217.123.202 OVHFR Canada 30->44 46 144.217.153.89 OVHFR Canada 32->46 48 144.217.153.92 OVHFR Canada 36->48 50 2 other IPs or domains 36->50

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
7KlNbK2xkt.exe23%VirustotalBrowse
7KlNbK2xkt.exe24%ReversingLabsWin32.Trojan.Generic
7KlNbK2xkt.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgcertutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpfalse
    		high
    https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEncertutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://deff.nelreports.net/api/report?cat=msncertutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platcertutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&certutil.exe, 0000000A.00000002.1448028812.0000024F32547000.00000004.00000020.00020000.00000000.sdmpfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            144.217.123.198
            		unknownCanada
            		16276OVHFRtrue
            192.95.19.137
            		unknownCanada
            		16276OVHFRtrue
            192.95.20.7
            		unknownCanada
            		16276OVHFRtrue
            144.217.123.200
            		unknownCanada
            		16276OVHFRtrue
            144.217.153.92
            		unknownCanada
            		16276OVHFRtrue
            144.217.123.202
            		unknownCanada
            		16276OVHFRtrue
            192.99.98.193
            		unknownCanada
            		16276OVHFRtrue
            144.217.153.89
            		unknownCanada
            		16276OVHFRtrue

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1584309
            Start date and time:2025-01-05 07:18:13 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 9m 55s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:52
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:7KlNbK2xkt.exe
            renamed because original name is a hash value
            Original Sample Name:88005bd682544ea46a7d19be17f034cce2495baeab462956858b0689a8f702da.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@75/5@0/8
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240s for sample files taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 20.12.23.50
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            01:19:16API Interceptor59063x Sleep call for process: 7KlNbK2xkt.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            OVHFRarmv7l.elfGet hashmaliciousUnknownBrowse
            • 145.239.178.218
            sHCznAai4a.batGet hashmaliciousUnknownBrowse
            • 54.39.248.66
            fuckunix.sh4.elfGet hashmaliciousMiraiBrowse
            • 51.195.5.52
            fuckunix.arm.elfGet hashmaliciousMiraiBrowse
            • 217.182.72.80
            Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
            • 8.33.192.100
            1.elfGet hashmaliciousUnknownBrowse
            • 151.80.39.185
            armv5l.elfGet hashmaliciousMiraiBrowse
            • 54.39.164.223
            http://www.escudier-sas.frGet hashmaliciousCAPTCHA Scam ClickFixBrowse
            • 145.239.37.162
            hiwA7Blv7C.exeGet hashmaliciousXmrigBrowse
            • 54.37.137.114
            file.exeGet hashmaliciousXmrigBrowse
            • 51.222.200.133
            OVHFRarmv7l.elfGet hashmaliciousUnknownBrowse
            • 145.239.178.218
            sHCznAai4a.batGet hashmaliciousUnknownBrowse
            • 54.39.248.66
            fuckunix.sh4.elfGet hashmaliciousMiraiBrowse
            • 51.195.5.52
            fuckunix.arm.elfGet hashmaliciousMiraiBrowse
            • 217.182.72.80
            Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
            • 8.33.192.100
            1.elfGet hashmaliciousUnknownBrowse
            • 151.80.39.185
            armv5l.elfGet hashmaliciousMiraiBrowse
            • 54.39.164.223
            http://www.escudier-sas.frGet hashmaliciousCAPTCHA Scam ClickFixBrowse
            • 145.239.37.162
            hiwA7Blv7C.exeGet hashmaliciousXmrigBrowse
            • 54.37.137.114
            file.exeGet hashmaliciousXmrigBrowse
            • 51.222.200.133
            OVHFRarmv7l.elfGet hashmaliciousUnknownBrowse
            • 145.239.178.218
            sHCznAai4a.batGet hashmaliciousUnknownBrowse
            • 54.39.248.66
            fuckunix.sh4.elfGet hashmaliciousMiraiBrowse
            • 51.195.5.52
            fuckunix.arm.elfGet hashmaliciousMiraiBrowse
            • 217.182.72.80
            Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
            • 8.33.192.100
            1.elfGet hashmaliciousUnknownBrowse
            • 151.80.39.185
            armv5l.elfGet hashmaliciousMiraiBrowse
            • 54.39.164.223
            http://www.escudier-sas.frGet hashmaliciousCAPTCHA Scam ClickFixBrowse
            • 145.239.37.162
            hiwA7Blv7C.exeGet hashmaliciousXmrigBrowse
            • 54.37.137.114
            file.exeGet hashmaliciousXmrigBrowse
            • 51.222.200.133
            OVHFRarmv7l.elfGet hashmaliciousUnknownBrowse
            • 145.239.178.218
            sHCznAai4a.batGet hashmaliciousUnknownBrowse
            • 54.39.248.66
            fuckunix.sh4.elfGet hashmaliciousMiraiBrowse
            • 51.195.5.52
            fuckunix.arm.elfGet hashmaliciousMiraiBrowse
            • 217.182.72.80
            Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
            • 8.33.192.100
            1.elfGet hashmaliciousUnknownBrowse
            • 151.80.39.185
            armv5l.elfGet hashmaliciousMiraiBrowse
            • 54.39.164.223
            http://www.escudier-sas.frGet hashmaliciousCAPTCHA Scam ClickFixBrowse
            • 145.239.37.162
            hiwA7Blv7C.exeGet hashmaliciousXmrigBrowse
            • 54.37.137.114
            file.exeGet hashmaliciousXmrigBrowse
            • 51.222.200.133

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            \Device\ConDrv

            Download File
            Process:C:\Windows\System32\netsh.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):107
            Entropy (8bit):4.225046504182161
            Encrypted:false
            SSDEEP:3:lTzWDRtAxFrgyKVzbtRuFrDfTXwadI8ycO7vn:lXERtwrgyKHRuZDTwYZIr
            MD5:21E9B1B59F89DA69F809231748AA0A30
            SHA1:E1C1814AED4AC28956AF1A3FA1C06A1AF7CD4581
            SHA-256:EE7C8ADF2AC455A388B351035D80F2C3814101A1D4F77EE812B6BDF7E749F485
            SHA-512:CE03F2246D58F3FEA2C392864B71CE5364A5EB0893627E4D973B524830FE5FB1726EE0DAA282210D4ED98D7F0CDA3AE95328D00611AB0F82637E1C773699DE42
            Malicious:false
            Preview:..Sucessfully reset the Winsock Catalog...You must restart the computer in order to complete the reset.....

            Static File Info

            General

            File type:PE32+ executable (GUI) x86-64, for MS Windows
            Entropy (8bit):7.960948937447116
            TrID:
            • Win64 Executable GUI (202006/5) 92.65%
            • Win64 Executable (generic) (12005/4) 5.51%
            • Generic Win/DOS Executable (2004/3) 0.92%
            • DOS Executable Generic (2002/1) 0.92%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:7KlNbK2xkt.exe
            File size:19'278'864 bytes
            MD5:ca9f0f2dda1cb0439275f6d975dabcf4
            SHA1:2a8515d75c6d70f25669623adb0e2d949caff86b
            SHA256:88005bd682544ea46a7d19be17f034cce2495baeab462956858b0689a8f702da
            SHA512:bbe3b713babc260f62a9a138af34f5a8a887f1c5f306e683f6da0cc4184c99664c4c4745ab003fe6a77c70fd2ae2e5ac22d70a2bbef84119ed122c7138df4eb6
            SSDEEP:393216:PHNQZNFJT2niKMO760wbkDthnLgW1N5o7RWWrQ:/NYNFMnsO7UbghL7N5Qo
            TLSH:35173317AA43EC6EC4BA23F91441C6FED727AFC8941A934B54F62C23B1931174E974E8
            File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........................8.....................a.................................V.....................................7.......7......

            File Icon

            Icon Hash:4f0723454d331751

            Static PE Info

            General

            Entrypoint:0x142284058
            Entrypoint Section:.boot
            Digitally signed:false
            Imagebase:0x140000000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x662C0354 [Fri Apr 26 19:41:08 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:e214abd536041e6aeaffeb784cc36e8e

            Entrypoint Preview

            Instruction
            call 00007F5AF06D3617h
            inc ecx
            push edx
            dec ecx
            mov edx, esp
            inc ecx
            push edx
            dec ecx
            mov esi, dword ptr [edx+10h]
            dec ecx
            mov edi, dword ptr [edx+20h]
            cld
            mov dl, 80h
            mov al, byte ptr [esi]
            dec eax
            inc esi
            mov byte ptr [edi], al
            dec eax
            inc edi
            mov ebx, 00000002h
            add dl, dl
            jne 00007F5AF06D3499h
            mov dl, byte ptr [esi]
            dec eax
            inc esi
            adc dl, dl
            jnc 00007F5AF06D3476h
            add dl, dl
            jne 00007F5AF06D3499h
            mov dl, byte ptr [esi]
            dec eax
            inc esi
            adc dl, dl
            jnc 00007F5AF06D34F0h
            xor eax, eax
            add dl, dl
            jne 00007F5AF06D3499h
            mov dl, byte ptr [esi]
            dec eax
            inc esi
            adc dl, dl
            jnc 00007F5AF06D3598h
            add dl, dl
            jne 00007F5AF06D3499h
            mov dl, byte ptr [esi]
            dec eax
            inc esi
            adc dl, dl
            adc eax, eax
            add dl, dl
            jne 00007F5AF06D3499h
            mov dl, byte ptr [esi]
            dec eax
            inc esi
            adc dl, dl
            adc eax, eax
            add dl, dl
            jne 00007F5AF06D3499h
            mov dl, byte ptr [esi]
            dec eax
            inc esi
            adc dl, dl
            adc eax, eax
            add dl, dl
            jne 00007F5AF06D3499h
            mov dl, byte ptr [esi]
            dec eax
            inc esi
            adc dl, dl
            adc eax, eax
            je 00007F5AF06D349Bh
            push edi
            mov eax, eax
            dec eax
            sub edi, eax
            mov al, byte ptr [edi]
            pop edi
            mov byte ptr [edi], al
            dec eax
            inc edi
            mov ebx, 00000002h
            jmp 00007F5AF06D341Ah
            mov eax, 00000001h
            add dl, dl
            jne 00007F5AF06D3499h
            mov dl, byte ptr [esi]
            dec eax
            inc esi
            adc dl, dl
            adc eax, eax
            add dl, dl
            jne 00007F5AF06D3499h
            mov dl, byte ptr [esi]
            dec eax
            inc esi
            adc dl, dl
            jc 00007F5AF06D3478h
            sub eax, ebx
            mov ebx, 00000001h
            jne 00007F5AF06D34C0h
            mov ecx, 00000001h

            Rich Headers

            Programming Language:
            • [IMP] VS2008 SP1 build 30729

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x2dd0000x4d.edata
            IMAGE_DIRECTORY_ENTRY_IMPORT0x2de3ff0x40c.idata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e00000x31048.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x225d4380x19a70.themida
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x33570000x10.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x2df0180x28.tls
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            0x10000x1d617e0xf420048e811fb50e9e12012d240c5b4070799False0.9983488943292371data7.9859216384168565IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            0x1d80000xae54a0x48200bf0f5653a20bdf39b75bab36b06e340dFalse0.9916797551993067DOS executable (COM)7.969669675233345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            0x2870000xb2e80x1600ca9d1556954e3ea126d647d9a655932fFalse0.9966264204545454data7.842554870568522IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            0x2930000x11b800xa4001391de743cccc7d807967591354c4a91False0.9473847179878049OpenPGP Public Key7.617843471384982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            0x2a50000x310480x14400dacf2a63e7b333f281c49708650aa48eFalse0.9960575810185185data7.947284933580225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            0x2d70000x5fb00x1e000386ab8dce132257c720198e84ac7432False0.9700520833333334data7.904430194440622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            .edata0x2dd0000x10000x200675245ec27e99b63695a31764fa7e9d1False0.140625data0.9175056385011345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .idata0x2de0000x10000xa000959a96c000cc7fc81d2849c50380492False0.301171875data3.5197836552888675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .tls0x2df0000x10000x200d5489c2a156fcd1b2b6e13c33d15b2e5False0.0625data0.28456851570206254IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x2e00000x312000x312006f42d2657a44bc56a9aa24ebaf556b81False0.3992923027989822data5.776369302220804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .themida0x3120000x1f720000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .boot0x22840000x10d26000x10d2600d99c5e440f1e7375ffa60d60a3ed372dunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .reloc0x33570000x10000x101d6fd944088922ab12c4d93823813098False1.5GLS_BINARY_LSB_FIRST2.474601752714581IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0x2e01900x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.47429078014184395
            RT_ICON0x2e06080x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States0.40942622950819674
            RT_ICON0x2e0fa00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.3592870544090056
            RT_ICON0x2e20580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.3176348547717842
            RT_ICON0x2e46100x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.30184222957014645
            RT_ICON0x2e88480x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736EnglishUnited States0.26192236598890944
            RT_ICON0x2edce00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States0.2697603531637587
            RT_ICON0x2f71980x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.23555246657991247
            RT_ICON0x3079d00x95e0PNG image data, 256 x 256, 8-bit gray+alpha, non-interlacedEnglishUnited States0.989105504587156
            RT_GROUP_ICON0x310fc00x84dataEnglishUnited States0.75

            Imports

            DLLImport
            kernel32.dllGetModuleHandleA
            ntdll.dllRtlCaptureContext
            USER32.dllGetWindowTextW
            GDI32.dllCreateCompatibleBitmap
            ADVAPI32.dllRegCreateKeyExW
            SHELL32.dllShellExecuteW
            ole32.dllCoSetProxyBlanket
            OLEAUT32.dllSysFreeString
            MSVCP140.dll?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
            gdiplus.dllGdipCreateBitmapFromHBITMAP
            COMCTL32.dll
            SHLWAPI.dllPathFindFileNameW
            IPHLPAPI.DLLGetIfTable2Ex
            WS2_32.dllconnect
            bcrypt.dllBCryptGenRandom
            VCRUNTIME140.dllwcsstr
            VCRUNTIME140_1.dll__CxxFrameHandler4
            api-ms-win-crt-runtime-l1-1-0.dllsignal
            api-ms-win-crt-heap-l1-1-0.dll_set_new_mode
            api-ms-win-crt-math-l1-1-0.dll_ldclass
            api-ms-win-crt-string-l1-1-0.dllstrspn
            api-ms-win-crt-utility-l1-1-0.dllqsort
            api-ms-win-crt-environment-l1-1-0.dllgetenv
            api-ms-win-crt-stdio-l1-1-0.dllungetc
            api-ms-win-crt-time-l1-1-0.dll_time64
            api-ms-win-crt-filesystem-l1-1-0.dll_stat64i32
            api-ms-win-crt-locale-l1-1-0.dlllocaleconv
            api-ms-win-crt-convert-l1-1-0.dllstrtol

            Exports

            NameOrdinalAddress
            OPENSSL_Applink10x1400af0e4

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:01:19:12
            Start date:05/01/2025
            Path:C:\Users\user\Desktop\7KlNbK2xkt.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\7KlNbK2xkt.exe"
            Imagebase:0x7ff6e67d0000
            File size:19'278'864 bytes
            MD5 hash:CA9F0F2DDA1CB0439275F6D975DABCF4
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:false

            General

            Target ID:2
            Start time:01:19:13
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c ipconfig /flushdns
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:01:19:13
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:01:19:13
            Start date:05/01/2025
            Path:C:\Windows\System32\ipconfig.exe
            Wow64 process (32bit):false
            Commandline:ipconfig /flushdns
            Imagebase:0x7ff7d3c00000
            File size:35'840 bytes
            MD5 hash:62F170FB07FDBB79CEB7147101406EB8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:5
            Start time:01:19:13
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c netsh interface ip delete arpcache
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:01:19:14
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:7
            Start time:01:19:14
            Start date:05/01/2025
            Path:C:\Windows\System32\netsh.exe
            Wow64 process (32bit):false
            Commandline:netsh interface ip delete arpcache
            Imagebase:0x7ff787280000
            File size:96'768 bytes
            MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:8
            Start time:01:19:14
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c certutil -URLCache * delete
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:9
            Start time:01:19:14
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:10
            Start time:01:19:14
            Start date:05/01/2025
            Path:C:\Windows\System32\certutil.exe
            Wow64 process (32bit):false
            Commandline:certutil -URLCache * delete
            Imagebase:0x7ff71d220000
            File size:1'651'712 bytes
            MD5 hash:F17616EC0522FC5633151F7CAA278CAA
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:12
            Start time:01:19:15
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c netsh int ip reset
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:13
            Start time:01:19:15
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:14
            Start time:01:19:15
            Start date:05/01/2025
            Path:C:\Windows\System32\netsh.exe
            Wow64 process (32bit):false
            Commandline:netsh int ip reset
            Imagebase:0x7ff787280000
            File size:96'768 bytes
            MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:15
            Start time:01:19:15
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c netsh int ipv4 reset
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:16
            Start time:01:19:15
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:17
            Start time:01:19:15
            Start date:05/01/2025
            Path:C:\Windows\System32\netsh.exe
            Wow64 process (32bit):false
            Commandline:netsh int ipv4 reset
            Imagebase:0x7ff787280000
            File size:96'768 bytes
            MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:18
            Start time:01:19:15
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c netsh int ipv6 reset
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:19
            Start time:01:19:15
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:20
            Start time:01:19:15
            Start date:05/01/2025
            Path:C:\Windows\System32\netsh.exe
            Wow64 process (32bit):false
            Commandline:netsh int ipv6 reset
            Imagebase:0x7ff787280000
            File size:96'768 bytes
            MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:21
            Start time:01:19:15
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c netsh winsock reset
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:22
            Start time:01:19:15
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:23
            Start time:01:19:15
            Start date:05/01/2025
            Path:C:\Windows\System32\netsh.exe
            Wow64 process (32bit):false
            Commandline:netsh winsock reset
            Imagebase:0x7ff787280000
            File size:96'768 bytes
            MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:24
            Start time:01:19:16
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c ping -w 250 -n 1 144.217.123.198
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:25
            Start time:01:19:16
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:26
            Start time:01:19:16
            Start date:05/01/2025
            Path:C:\Windows\System32\PING.EXE
            Wow64 process (32bit):false
            Commandline:ping -w 250 -n 1 144.217.123.198
            Imagebase:0x7ff6d2270000
            File size:22'528 bytes
            MD5 hash:2F46799D79D22AC72C241EC0322B011D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:27
            Start time:01:19:16
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c ping -w 250 -n 1 144.217.123.200
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:28
            Start time:01:19:16
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:29
            Start time:01:19:16
            Start date:05/01/2025
            Path:C:\Windows\System32\PING.EXE
            Wow64 process (32bit):false
            Commandline:ping -w 250 -n 1 144.217.123.200
            Imagebase:0x7ff6d2270000
            File size:22'528 bytes
            MD5 hash:2F46799D79D22AC72C241EC0322B011D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:30
            Start time:01:19:17
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c ping -w 250 -n 1 144.217.123.202
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:31
            Start time:01:19:17
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:32
            Start time:01:19:17
            Start date:05/01/2025
            Path:C:\Windows\System32\PING.EXE
            Wow64 process (32bit):false
            Commandline:ping -w 250 -n 1 144.217.123.202
            Imagebase:0x7ff6d2270000
            File size:22'528 bytes
            MD5 hash:2F46799D79D22AC72C241EC0322B011D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:33
            Start time:01:19:17
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c ping -w 250 -n 1 144.217.153.89
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:34
            Start time:01:19:17
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:35
            Start time:01:19:17
            Start date:05/01/2025
            Path:C:\Windows\System32\PING.EXE
            Wow64 process (32bit):false
            Commandline:ping -w 250 -n 1 144.217.153.89
            Imagebase:0x7ff6d2270000
            File size:22'528 bytes
            MD5 hash:2F46799D79D22AC72C241EC0322B011D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:36
            Start time:01:19:18
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c ping -w 250 -n 1 144.217.153.92
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:37
            Start time:01:19:18
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:38
            Start time:01:19:18
            Start date:05/01/2025
            Path:C:\Windows\System32\PING.EXE
            Wow64 process (32bit):false
            Commandline:ping -w 250 -n 1 144.217.153.92
            Imagebase:0x7ff6d2270000
            File size:22'528 bytes
            MD5 hash:2F46799D79D22AC72C241EC0322B011D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:39
            Start time:01:19:18
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c ping -w 250 -n 1 192.95.19.137
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:40
            Start time:01:19:18
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:41
            Start time:01:19:18
            Start date:05/01/2025
            Path:C:\Windows\System32\PING.EXE
            Wow64 process (32bit):false
            Commandline:ping -w 250 -n 1 192.95.19.137
            Imagebase:0x7ff6d2270000
            File size:22'528 bytes
            MD5 hash:2F46799D79D22AC72C241EC0322B011D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:42
            Start time:01:19:19
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c ping -w 250 -n 1 192.99.98.193
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:43
            Start time:01:19:19
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:44
            Start time:01:19:19
            Start date:05/01/2025
            Path:C:\Windows\System32\PING.EXE
            Wow64 process (32bit):false
            Commandline:ping -w 250 -n 1 192.99.98.193
            Imagebase:0x7ff6d2270000
            File size:22'528 bytes
            MD5 hash:2F46799D79D22AC72C241EC0322B011D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:45
            Start time:01:19:19
            Start date:05/01/2025
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:/c ping -w 250 -n 1 192.95.20.7
            Imagebase:0x7ff6c66d0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:46
            Start time:01:19:19
            Start date:05/01/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:47
            Start time:01:19:19
            Start date:05/01/2025
            Path:C:\Windows\System32\PING.EXE
            Wow64 process (32bit):false
            Commandline:ping -w 250 -n 1 192.95.20.7
            Imagebase:0x7ff6d2270000
            File size:22'528 bytes
            MD5 hash:2F46799D79D22AC72C241EC0322B011D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            Disassembly

            No disassembly