Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sZSXKXOnBw.exe

Overview

General Information

Sample name:sZSXKXOnBw.exe
Analysis ID:1589483
MD5:7e9bb4d78101740566c64724c56573b9
SHA1:5cf8ba12af98c1f0b90ab15cfecc1fc5f3241372
SHA256:90bfce53578f6f532e9947668112eeab461acc176f499feec880a9326815214e
Tags:exeuser-mickeyftnt1
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Deletes itself after installation
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • sZSXKXOnBw.exe (PID: 6000 cmdline: "C:\Users\user\Desktop\sZSXKXOnBw.exe" MD5: 7E9BB4D78101740566C64724C56573B9)
    • aKmuNxOVRW.exe (PID: 3892 cmdline: "C:\Users\user\Desktop\aKmuNxOVRW.exe" sZSXKXOnBw.exe MD5: 7E9BB4D78101740566C64724C56573B9)
      • aKmuNxOVRW.exe (PID: 1156 cmdline: "C:\Users\user\Desktop\aKmuNxOVRW.exe" "sZSXKXOnBw.exe" MD5: 7E9BB4D78101740566C64724C56573B9)
      • netsh.exe (PID: 1532 cmdline: "netsh" int tcp set heuristics disabled MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 2332 cmdline: "netsh" int tcp set global autotuninglevel=normal MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 3380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 2260 cmdline: "netsh" int tcp set global congestionprovider=ctcp MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 3084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 2908 cmdline: "netsh" int tcp set global ecncapability=default MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 4872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 6544 cmdline: "netsh" int tcp set global rss=enabled MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 2444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 5780 cmdline: "netsh" int tcp set global chimney=disabled MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 6696 cmdline: "netsh" int tcp set global dca=enabled MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 6196 cmdline: "netsh" int tcp set global timestamps=disabled MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 6948 cmdline: "netsh" int tcp set global rsc=enabled MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Unpacked PEs

SourceRuleDescriptionAuthorStrings
2.3.sZSXKXOnBw.exe.b9b23cc.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    2.3.sZSXKXOnBw.exe.b9b23cc.1.raw.unpackINDICATOR_EXE_Packed_DNGuardDetects executables packed with DNGuardditekSHen
    • 0x6695cc:$s1: DNGuard Runtime library
    • 0x6696e6:$s1: DNGuard Runtime library
    • 0x669755:$s1: DNGuard Runtime library
    • 0x6697cb:$s2: [*=*]This application is expired ![*=*]
    2.3.sZSXKXOnBw.exe.b9b0dc4.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      2.3.sZSXKXOnBw.exe.b9b0dc4.0.raw.unpackINDICATOR_EXE_Packed_DNGuardDetects executables packed with DNGuardditekSHen
      • 0x66abd4:$s1: DNGuard Runtime library
      • 0x66acee:$s1: DNGuard Runtime library
      • 0x66ad5d:$s1: DNGuard Runtime library
      • 0x66add3:$s2: [*=*]This application is expired ![*=*]
      13.3.aKmuNxOVRW.exe.b9be3cc.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        Click to see the 3 entries

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeReversingLabs: Detection: 42%
        Multi AV Scanner detection for submitted file
        Source: sZSXKXOnBw.exeVirustotal: Detection: 54%Perma Link
        Source: sZSXKXOnBw.exeReversingLabs: Detection: 42%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: sZSXKXOnBw.exeJoe Sandbox ML: detected
        Source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MThe remote name could not be resolved:5-----BEGIN PUBLIC KEY-----memstr_1095471c-4
        Source: sZSXKXOnBw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49761 version: TLS 1.2
        Source: Binary string: v:\builds\boxedapp\files\8cc2254f\src\boxedapp\bxsdk\obj\win32\release_full\boxedappsdkthunk\BoxedAppSDKThunk.pdb source: sZSXKXOnBw.exe, aKmuNxOVRW.exe.2.dr
        Source: Binary string: v:\builds\boxedapp\files\8cc2254f\src\boxedapp\bxsdk\bin\release_full\bxsdk32.pdb source: sZSXKXOnBw.exe, aKmuNxOVRW.exe.2.dr
        Source: Binary string: V:\builds\BoxedApp\files\8CC2254F\src\BoxedApp\bxsdk\obj\x86\Release_Full\BoxedAppSDK_AppDomainManager.pdb source: sZSXKXOnBw.exe, aKmuNxOVRW.exe.2.dr
        Source: Binary string: C:\Users\MSI\Desktop\New folder (3)\Gadar 22 Nov _ 2\projBHIM\obj\Debug\net472\BhimAXIS.pdbSHA256 source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\dev\sqlite\dotnet\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: SQLite.Interop.dll.tmp.9.dr
        Source: Binary string: C:\Users\hpcou\Desktop\newSRC\MReget\obj\Debug\MReget.pdb source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: v:\builds\boxedapp\files\8cc2254f\src\boxedapp\bxsdk\obj\win32\release_full\tlssupport\TLSSupport.pdb source: sZSXKXOnBw.exe, aKmuNxOVRW.exe.2.dr
        Source: Binary string: C:\Users\MSI\Desktop\New folder (3)\Gadar 22 Nov _ 2\projBHIM\obj\Debug\net472\BhimAXIS.pdb source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\dev\sqlite\dotnet\bin\2015\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: SQLite.Interop.dll.tmp0.9.dr

        Networking

        barindex
        Yara detected Generic Downloader
        Source: Yara matchFile source: 2.3.sZSXKXOnBw.exe.b9b23cc.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.3.sZSXKXOnBw.exe.b9b0dc4.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.3.aKmuNxOVRW.exe.b9be3cc.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.3.aKmuNxOVRW.exe.b9bcdc4.2.raw.unpack, type: UNPACKEDPE
        Source: global trafficHTTP traffic detected: GET /AYAAN1980/HtmlPDF/main/DS-DIGIT.TTF HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
        Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /AYAAN1980/HtmlPDF/main/DS-DIGIT.TTF HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
        Source: sZSXKXOnBw.exe, sZSXKXOnBw.exe, 00000002.00000003.1349513754.0000000002D99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://boxedapp.com/boxedappsdk/order.html
        Source: sZSXKXOnBw.exe, aKmuNxOVRW.exe.2.drString found in binary or memory: http://boxedapp.com/boxedappsdk/order.htmlS:(ML;;NW;;;LW)U
        Source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://npci.org/upi/schema/:
        Source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://npci.org/upi/schema/T
        Source: tesseract50.dll.tmp.9.dr, tesseract50.dll.tmp0.9.drString found in binary or memory: http://www.loc.gov/standards/alto/ns-v3#
        Source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mobile-rest.freecharge.in/rest/upi/v2/ar/balance-enquiry?fcAppType=android&fcChannel=3&fcver
        Source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pingupi.axisbank.co.in1/v1/healthcheck?version=#/v1/bind?data=
        Source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.irctc.co.in
        Source: SQLite.Interop.dll.tmp.9.dr, SQLite.Interop.dll.tmp0.9.drString found in binary or memory: https://www.sqlite.org/copyright.html2
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
        Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
        Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49761 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 2.3.sZSXKXOnBw.exe.b9b23cc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with DNGuard Author: ditekSHen
        Source: 2.3.sZSXKXOnBw.exe.b9b0dc4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with DNGuard Author: ditekSHen
        Source: 13.3.aKmuNxOVRW.exe.b9be3cc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with DNGuard Author: ditekSHen
        Source: 13.3.aKmuNxOVRW.exe.b9bcdc4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with DNGuard Author: ditekSHen
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess Stats: CPU usage > 49%
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Windows\Fonts\DS-Digital.ttfJump to behavior
        Source: sZSXKXOnBw.exe, 00000002.00000003.1349357341.0000000002E03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinZip.exe. vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000002.00000000.1268689042.0000000000576000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBoxedAppSDK.dll: vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000002.00000003.1348776796.0000000002E00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinZip.exe. vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000002.00000002.1370538535.000000000046D000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBoxedAppSDK_AppDomainManager.dllP vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000002.00000002.1361348914.0000000000183000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDNRuntime.dll4 vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMReget.dll. vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBhimAXIS.dll2 vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: get_OriginalFilename vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000002.00000000.1268689042.000000000046B000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBoxedAppSDK_AppDomainManager.dllP vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exeBinary or memory string: OriginalFilenameBoxedAppSDK_AppDomainManager.dllP vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exeBinary or memory string: OriginalFilenameBoxedAppSDK.dll: vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
        Source: 2.3.sZSXKXOnBw.exe.b9b23cc.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_DNGuard author = ditekSHen, description = Detects executables packed with DNGuard
        Source: 2.3.sZSXKXOnBw.exe.b9b0dc4.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_DNGuard author = ditekSHen, description = Detects executables packed with DNGuard
        Source: 13.3.aKmuNxOVRW.exe.b9be3cc.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_DNGuard author = ditekSHen, description = Detects executables packed with DNGuard
        Source: 13.3.aKmuNxOVRW.exe.b9bcdc4.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_DNGuard author = ditekSHen, description = Detects executables packed with DNGuard
        Source: aKmuNxOVRW.exe.2.drBinary string: \??\UVMLite\??\Nsi\??\con\??\MountPointManager\??\CbFs3NrIoctl\??\PrlMiniRdrDN\Device\NETBT_TCPIP_\Device\LanmanDatagramReceiver\Device\RdpDr\Device\RasAcd\Device\WS2IFSL\Device\DeviceApi\\Device\KsecDD\Device\CNG\DosDevices\pipe\\Device\DfsClient\Device\Afd\Device\Csc\Device\Mailslot\\Device\NamedPipe\\??\pipe\
        Source: aKmuNxOVRW.exe.2.drBinary string: \Device\\??\UNC\??\Z:FullWriteCopyMergedNone
        Source: classification engineClassification label: mal96.troj.evad.winEXE@32/32@1/1
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeFile created: C:\Users\user\Desktop\GADAR.lnkJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3380:120:WilError_03
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_shared_env_mutex_00000f34_00000f7c
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMutant created: NULL
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMutant created: \Sessions\1\BaseNamedObjects\bx_process_mutex_00000484_00000894_00000484
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMutant created: \Sessions\1\BaseNamedObjects\bx_process_mutex_00001770_00000e80_00001770
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_global_shared_mem_00000f34_00000f7c
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:120:WilError_03
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_global_shared_mem_00000484_00000894
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMutant created: \Sessions\1\BaseNamedObjects\bx_process_mutex_00000f34_00000f7c_00000f34
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2444:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4872:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_03
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_global_shared_mem_00001770_00000e80
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_shared_env_mutex_00000484_00000894
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_process_list_mutex_00000f34_00000f7c
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3084:120:WilError_03
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_process_list_mutex_00001770_00000e80
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_process_list_mutex_00000484_00000894
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_shared_env_mutex_00001770_00000e80
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Users\user\AppData\Local\Temp\2Jump to behavior
        Source: sZSXKXOnBw.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.62%
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeWMI Queries: IWbemServices::ExecNotificationQuery - root\cimv2 : select * from Win32_ProcessStartTrace
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE TBL_UPI(RID integer PRIMARY KEY AUTOINCREMENT, MobNo varchar(15), UPIAdd varchar(15), RegiInfo varchar(50000), LoginInfo varchar(100000), AccInfo varchar(100000), TrnsInfo varchar(100000), SessInfo varchar(100000), TimeStamp varchar(50));
        Source: SQLite.Interop.dll.tmp.9.dr, SQLite.Interop.dll.tmp0.9.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: SQLite.Interop.dll.tmp.9.dr, SQLite.Interop.dll.tmp0.9.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
        Source: SQLite.Interop.dll.tmp.9.dr, SQLite.Interop.dll.tmp0.9.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
        Source: SQLite.Interop.dll.tmp.9.dr, SQLite.Interop.dll.tmp0.9.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
        Source: SQLite.Interop.dll.tmp.9.dr, SQLite.Interop.dll.tmp0.9.drBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: SQLite.Interop.dll.tmp.9.dr, SQLite.Interop.dll.tmp0.9.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
        Source: SQLite.Interop.dll.tmp.9.dr, SQLite.Interop.dll.tmp0.9.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
        Source: SQLite.Interop.dll.tmp.9.dr, SQLite.Interop.dll.tmp0.9.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
        Source: sZSXKXOnBw.exeVirustotal: Detection: 54%
        Source: sZSXKXOnBw.exeReversingLabs: Detection: 42%
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeFile read: C:\Users\user\Desktop\sZSXKXOnBw.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\sZSXKXOnBw.exe "C:\Users\user\Desktop\sZSXKXOnBw.exe"
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess created: C:\Users\user\Desktop\aKmuNxOVRW.exe "C:\Users\user\Desktop\aKmuNxOVRW.exe" sZSXKXOnBw.exe
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Users\user\Desktop\aKmuNxOVRW.exe "C:\Users\user\Desktop\aKmuNxOVRW.exe" "sZSXKXOnBw.exe"
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set heuristics disabled
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global autotuninglevel=normal
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global congestionprovider=ctcp
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global ecncapability=default
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global rss=enabled
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global chimney=disabled
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global dca=enabled
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global timestamps=disabled
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global rsc=enabled
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess created: C:\Users\user\Desktop\aKmuNxOVRW.exe "C:\Users\user\Desktop\aKmuNxOVRW.exe" sZSXKXOnBw.exeJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Users\user\Desktop\aKmuNxOVRW.exe "C:\Users\user\Desktop\aKmuNxOVRW.exe" "sZSXKXOnBw.exe"Jump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set heuristics disabledJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global autotuninglevel=normalJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global congestionprovider=ctcpJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global ecncapability=defaultJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global rss=enabledJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global chimney=disabledJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global dca=enabledJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global timestamps=disabledJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global rsc=enabledJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rtutils.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rtutils.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rtutils.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rtutils.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rtutils.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rtutils.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: sZSXKXOnBw.exeStatic file information: File size 40714240 > 1048576
        Source: sZSXKXOnBw.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x135000
        Source: sZSXKXOnBw.exeStatic PE information: Raw size of .GS. is bigger than: 0x100000 < 0x1bf000
        Source: sZSXKXOnBw.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2375000
        Source: Binary string: v:\builds\boxedapp\files\8cc2254f\src\boxedapp\bxsdk\obj\win32\release_full\boxedappsdkthunk\BoxedAppSDKThunk.pdb source: sZSXKXOnBw.exe, aKmuNxOVRW.exe.2.dr
        Source: Binary string: v:\builds\boxedapp\files\8cc2254f\src\boxedapp\bxsdk\bin\release_full\bxsdk32.pdb source: sZSXKXOnBw.exe, aKmuNxOVRW.exe.2.dr
        Source: Binary string: V:\builds\BoxedApp\files\8CC2254F\src\BoxedApp\bxsdk\obj\x86\Release_Full\BoxedAppSDK_AppDomainManager.pdb source: sZSXKXOnBw.exe, aKmuNxOVRW.exe.2.dr
        Source: Binary string: C:\Users\MSI\Desktop\New folder (3)\Gadar 22 Nov _ 2\projBHIM\obj\Debug\net472\BhimAXIS.pdbSHA256 source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\dev\sqlite\dotnet\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: SQLite.Interop.dll.tmp.9.dr
        Source: Binary string: C:\Users\hpcou\Desktop\newSRC\MReget\obj\Debug\MReget.pdb source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: v:\builds\boxedapp\files\8cc2254f\src\boxedapp\bxsdk\obj\win32\release_full\tlssupport\TLSSupport.pdb source: sZSXKXOnBw.exe, aKmuNxOVRW.exe.2.dr
        Source: Binary string: C:\Users\MSI\Desktop\New folder (3)\Gadar 22 Nov _ 2\projBHIM\obj\Debug\net472\BhimAXIS.pdb source: sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\dev\sqlite\dotnet\bin\2015\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: SQLite.Interop.dll.tmp0.9.dr
        Source: sZSXKXOnBw.exeStatic PE information: section name: .GS.
        Source: aKmuNxOVRW.exe.2.drStatic PE information: section name: .GS.
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeCode function: 2_3_02DAC35B push 6802DAC3h; ret 2_3_02DAC36D
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeCode function: 2_3_02DAC350 push eax; ret 2_3_02DAC351
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeCode function: 2_3_02DAC221 push 5002DAC3h; ret 2_3_02DAC22D
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeCode function: 2_3_0B1FD3B0 pushad ; iretd 2_3_0B1FD3B1
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeCode function: 2_3_0B1FD7A0 pushad ; ret 2_3_0B1FD7C9
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeCode function: 2_3_0B1FD05B push esi; retf 2_3_0B1FD064
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeCode function: 2_3_0B202A5A push esi; retf 2_3_0B202A74
        Source: sZSXKXOnBw.exeStatic PE information: section name: .GS. entropy: 7.697127639688447
        Source: aKmuNxOVRW.exe.2.drStatic PE information: section name: .GS. entropy: 7.697127639688447
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Users\user\Desktop\x86\leptonica-1.82.0.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Users\user\Desktop\x64\tesseract50.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Users\user\Desktop\x86\SQLite.Interop.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Users\user\Desktop\x64\tesseract50.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Users\user\Desktop\x86\tesseract50.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Users\user\Desktop\x64\SQLite.Interop.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Users\user\Desktop\x64\leptonica-1.82.0.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Users\user\Desktop\x86\SQLite.Interop.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeFile created: C:\Users\user\Desktop\aKmuNxOVRW.exeJump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Users\user\Desktop\x86\leptonica-1.82.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Users\user\Desktop\x86\tesseract50.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Users\user\Desktop\x64\leptonica-1.82.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile created: C:\Users\user\Desktop\x64\SQLite.Interop.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\ParametersJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\ServiceProviderJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Deletes itself after installation
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeFile deleted: c:\users\user\desktop\szsxkxonbw.exeJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_LogicalDisk
        Tries to detect virtualization through RDTSC time measurements
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeRDTSC instruction interceptor: First address: 4038B7 second address: 4038F4 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, sp 0x00000005 mov byte ptr [esp+1Dh], FFFFFF84h 0x0000000a mov byte ptr [esp+1Eh], FFFFFFBFh 0x0000000f cmovb edx, eax 0x00000012 mov byte ptr [esp+1Fh], 00000019h 0x00000017 mov ecx, dword ptr [esp+1Ch] 0x0000001b mov al, 82h 0x0000001d cdq 0x0000001e movzx edx, si 0x00000021 mov dword ptr [esi+00000200h], ecx 0x00000027 cwd 0x00000029 setns al 0x0000002c push 00000100h 0x00000031 cmovle eax, ebx 0x00000034 mov byte ptr [esp+24h], 00000028h 0x00000039 mov byte ptr [esp+25h], bl 0x0000003d rdtsc
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeRDTSC instruction interceptor: First address: 661FC0 second address: 661FC9 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 mov ecx, dword ptr [esp+14h] 0x00000009 rdtsc
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeRDTSC instruction interceptor: First address: 4038B7 second address: 4038F4 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, sp 0x00000005 mov byte ptr [esp+1Dh], FFFFFF84h 0x0000000a mov byte ptr [esp+1Eh], FFFFFFBFh 0x0000000f cmovb edx, eax 0x00000012 mov byte ptr [esp+1Fh], 00000019h 0x00000017 mov ecx, dword ptr [esp+1Ch] 0x0000001b mov al, 82h 0x0000001d cdq 0x0000001e movzx edx, si 0x00000021 mov dword ptr [esi+00000200h], ecx 0x00000027 cwd 0x00000029 setns al 0x0000002c push 00000100h 0x00000031 cmovle eax, ebx 0x00000034 mov byte ptr [esp+24h], 00000028h 0x00000039 mov byte ptr [esp+25h], bl 0x0000003d rdtsc
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeRDTSC instruction interceptor: First address: 661FC0 second address: 661FC9 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 mov ecx, dword ptr [esp+14h] 0x00000009 rdtsc
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMemory allocated: 47F0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMemory allocated: 4F60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMemory allocated: 4880000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMemory allocated: 10600000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMemory allocated: 13600000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMemory allocated: 47B0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMemory allocated: 5020000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMemory allocated: 49A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMemory allocated: 47B0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMemory allocated: 4EC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeMemory allocated: 48A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeWindow / User API: threadDelayed 3492Jump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeWindow / User API: threadDelayed 516Jump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeWindow / User API: threadDelayed 1427Jump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeWindow / User API: threadDelayed 924Jump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeDropped PE file which has not been started: C:\Users\user\Desktop\x86\leptonica-1.82.0.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeDropped PE file which has not been started: C:\Users\user\Desktop\x64\tesseract50.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeDropped PE file which has not been started: C:\Users\user\Desktop\x86\SQLite.Interop.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeDropped PE file which has not been started: C:\Users\user\Desktop\x64\tesseract50.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeDropped PE file which has not been started: C:\Users\user\Desktop\x86\tesseract50.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeDropped PE file which has not been started: C:\Users\user\Desktop\x64\SQLite.Interop.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeDropped PE file which has not been started: C:\Users\user\Desktop\x86\SQLite.Interop.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeDropped PE file which has not been started: C:\Users\user\Desktop\x64\leptonica-1.82.0.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeDropped PE file which has not been started: C:\Users\user\Desktop\x86\leptonica-1.82.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeDropped PE file which has not been started: C:\Users\user\Desktop\x86\tesseract50.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeDropped PE file which has not been started: C:\Users\user\Desktop\x64\leptonica-1.82.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeDropped PE file which has not been started: C:\Users\user\Desktop\x64\SQLite.Interop.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exe TID: 4668Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exe TID: 520Thread sleep time: -46800s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exe TID: 2708Thread sleep time: -3142800s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exe TID: 1652Thread sleep time: -291600s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exe TID: 520Thread sleep time: -109800s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exe TID: 2708Thread sleep time: -831600s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exe TID: 1860Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: aKmuNxOVRW.exe.2.drBinary or memory string: VMware
        Source: netsh.exe, 0000000E.00000003.1464148796.0000000000931000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000015.00000003.1469821629.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000019.00000003.1470002145.0000000000751000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000001D.00000003.1469542096.0000000000621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
        Source: netsh.exe, 00000017.00000003.1469898625.0000000000D81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
        Source: aKmuNxOVRW.exe.2.drBinary or memory string: ErrorUnknown ,Version=Culture=PublicKeyToken=ProcessorArchitecture=neutral0 ., - Virtual Machine Network Services DriverVMwareBluetoothWiFiWLan802.11%02X-%02X-%02X-%02X-%02X-%02XCreate Com failed.root\cimv2Can't Connect to WMI Service: HR: 0x%X, LastError: 0x%XWMI ACCESS_DENIEDset proxy failed|:InterfaceTypeUSBIndexManufacturerProductSerialNumberVersionWin32_BaseBoardNameSMBIOSBIOSVersionWin32_BIOSProcessorIdWin32_ProcessorModelWin32_DiskDriveWin32_PhysicalMedia%.4X
        Source: netsh.exe, 0000000F.00000003.1464802876.0000000001091000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000011.00000003.1469534097.0000000000A71000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000011.00000002.1489824963.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000013.00000003.1469861037.0000000003991000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000001B.00000002.1471713725.000000000081A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess created: C:\Users\user\Desktop\aKmuNxOVRW.exe "C:\Users\user\Desktop\aKmuNxOVRW.exe" sZSXKXOnBw.exeJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Users\user\Desktop\aKmuNxOVRW.exe "C:\Users\user\Desktop\aKmuNxOVRW.exe" "sZSXKXOnBw.exe"Jump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set heuristics disabledJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global autotuninglevel=normalJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global congestionprovider=ctcpJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global ecncapability=defaultJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global rss=enabledJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global chimney=disabledJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global dca=enabledJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global timestamps=disabledJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global rsc=enabledJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\WinSxS\Manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984.manifest VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\WinSxS\Manifests\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-gb_0b85a8bb8c7e851a.manifest VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\WinSxS\Manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984.manifest VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\WinSxS\Manifests\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-gb_0b85a8bb8c7e851a.manifest VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\Desktop\aKmuNxOVRW.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set heuristics disabled

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
        Windows Management Instrumentation        		2
        Windows Service        		2
        Windows Service        		11
        Masquerading        		OS Credential Dumping1
        Query Registry        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		11
        Process Injection        		11
        Disable or Modify Tools        		LSASS Memory311
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		41
        Virtualization/Sandbox Evasion        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
        Process Injection        		NTDS41
        Virtualization/Sandbox Evasion        		Distributed Component Object ModelInput Capture3
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information        		LSA Secrets1
        Application Window Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Software Packing        		Cached Domain Credentials1
        File and Directory Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSync123
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        File Deletion        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589483 Sample: sZSXKXOnBw.exe Startdate: 12/01/2025 Architecture: WINDOWS Score: 96 52 raw.githubusercontent.com 2->52 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Machine Learning detection for sample 2->60 62 2 other signatures 2->62 9 sZSXKXOnBw.exe 4 2->9         started        signatures3 process4 file5 40 C:\Users\user\Desktop\aKmuNxOVRW.exe, PE32 9->40 dropped 42 C:\Users\user\AppData\...\sZSXKXOnBw.exe.log, ASCII 9->42 dropped 64 Tries to detect virtualization through RDTSC time measurements 9->64 13 aKmuNxOVRW.exe 28 20 9->13         started        signatures6 process7 dnsIp8 54 raw.githubusercontent.com 185.199.110.133, 443, 49761 FASTLYUS Netherlands 13->54 44 C:\Users\user\Desktop\...\tesseract50.dll.tmp, PE32 13->44 dropped 46 C:\Users\user\...\tesseract50.dll (copy), PE32 13->46 dropped 48 C:\Users\user\...\leptonica-1.82.0.dll.tmp, PE32 13->48 dropped 50 9 other malicious files 13->50 dropped 66 Multi AV Scanner detection for dropped file 13->66 68 Machine Learning detection for dropped file 13->68 70 Uses netsh to modify the Windows network and firewall settings 13->70 72 3 other signatures 13->72 18 netsh.exe 13->18         started        20 netsh.exe 13->20         started        22 netsh.exe 13->22         started        24 7 other processes 13->24 file9 signatures10 process11 process12 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 24->34         started        36 conhost.exe 24->36         started        38 3 other processes 24->38

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        sZSXKXOnBw.exe54%VirustotalBrowse
        sZSXKXOnBw.exe42%ReversingLabsWin32.Trojan.Giant
        sZSXKXOnBw.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\Desktop\aKmuNxOVRW.exe100%Joe Sandbox ML
        C:\Users\user\Desktop\aKmuNxOVRW.exe42%ReversingLabsWin32.Trojan.Giant
        C:\Users\user\Desktop\x64\SQLite.Interop.dll (copy)0%ReversingLabs
        C:\Users\user\Desktop\x64\SQLite.Interop.dll.tmp0%ReversingLabs
        C:\Users\user\Desktop\x64\leptonica-1.82.0.dll (copy)0%ReversingLabs
        C:\Users\user\Desktop\x64\leptonica-1.82.0.dll.tmp0%ReversingLabs
        C:\Users\user\Desktop\x64\tesseract50.dll (copy)0%ReversingLabs
        C:\Users\user\Desktop\x64\tesseract50.dll.tmp0%ReversingLabs
        C:\Users\user\Desktop\x86\SQLite.Interop.dll (copy)0%ReversingLabs
        C:\Users\user\Desktop\x86\SQLite.Interop.dll.tmp0%ReversingLabs
        C:\Users\user\Desktop\x86\leptonica-1.82.0.dll (copy)0%ReversingLabs
        C:\Users\user\Desktop\x86\leptonica-1.82.0.dll.tmp0%ReversingLabs
        C:\Users\user\Desktop\x86\tesseract50.dll (copy)0%ReversingLabs
        C:\Users\user\Desktop\x86\tesseract50.dll.tmp0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://mobile-rest.freecharge.in/rest/upi/v2/ar/balance-enquiry?fcAppType=android&fcChannel=3&fcver0%Avira URL Cloudsafe
        http://npci.org/upi/schema/T0%Avira URL Cloudsafe
        https://pingupi.axisbank.co.in1/v1/healthcheck?version=#/v1/bind?data=0%Avira URL Cloudsafe
        http://boxedapp.com/boxedappsdk/order.htmlS:(ML;;NW;;;LW)U0%Avira URL Cloudsafe
        http://npci.org/upi/schema/:0%Avira URL Cloudsafe
        http://boxedapp.com/boxedappsdk/order.html0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        raw.githubusercontent.com
        		185.199.110.133
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://raw.githubusercontent.com/AYAAN1980/HtmlPDF/main/DS-DIGIT.TTFfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://boxedapp.com/boxedappsdk/order.htmlsZSXKXOnBw.exe, sZSXKXOnBw.exe, 00000002.00000003.1349513754.0000000002D99000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.loc.gov/standards/alto/ns-v3#tesseract50.dll.tmp.9.dr, tesseract50.dll.tmp0.9.drfalse
              		high
              http://boxedapp.com/boxedappsdk/order.htmlS:(ML;;NW;;;LW)UsZSXKXOnBw.exe, aKmuNxOVRW.exe.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://npci.org/upi/schema/TsZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://pingupi.axisbank.co.in1/v1/healthcheck?version=#/v1/bind?data=sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.sqlite.org/copyright.html2SQLite.Interop.dll.tmp.9.dr, SQLite.Interop.dll.tmp0.9.drfalse
                		high
                https://www.irctc.co.insZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://mobile-rest.freecharge.in/rest/upi/v2/ar/balance-enquiry?fcAppType=android&fcChannel=3&fcversZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://npci.org/upi/schema/:sZSXKXOnBw.exe, 00000002.00000003.1302456448.000000000B946000.00000004.00000020.00020000.00000000.sdmp, aKmuNxOVRW.exe, 0000000D.00000003.1496654156.000000000B952000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.199.110.133
                  		raw.githubusercontent.comNetherlands
                  		54113FASTLYUSfalse

                  General Information

                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1589483
                  Start date and time:2025-01-12 15:59:17 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 10m 9s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:37
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:sZSXKXOnBw.exe
                  Detection:MAL
                  Classification:mal96.troj.evad.winEXE@32/32@1/1
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 184.28.90.27
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target aKmuNxOVRW.exe, PID 3892 because there are no executed function
                  • Execution Graph export aborted for target sZSXKXOnBw.exe, PID 6000 because there are no executed function
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  11:24:44API Interceptor2614980x Sleep call for process: aKmuNxOVRW.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.199.110.133sys_upd.ps1Get hashmaliciousUnknownBrowse
                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                  cr_asm_menu..ps1Get hashmaliciousUnknownBrowse
                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                  cr_asm_phshop..ps1Get hashmaliciousUnknownBrowse
                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                  cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                  vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                  xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                  Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                  cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                  SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  raw.githubusercontent.comhttp://trustwallet.secure-configure.com/trst.phpGet hashmaliciousUnknownBrowse
                  • 185.199.109.133
                  https://trustwallet.secure-configure.com/trst.php/Get hashmaliciousUnknownBrowse
                  • 185.199.110.133
                  HTTPS://RAW.GITHUBUSERCONTENT.COM/wINPARwINPAR/DUCKYSCRIPTS/MAIN/nOeSCAPE.EXEGet hashmaliciousUnknownBrowse
                  • 185.199.111.133
                  z.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                  • 185.199.111.133
                  h.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                  • 185.199.110.133
                  spreadmalware.exeGet hashmaliciousXWormBrowse
                  • 185.199.110.133
                  GTA5-elamigos.exeGet hashmaliciousEsquele StealerBrowse
                  • 185.199.108.133
                  GTA5-elamigos.exeGet hashmaliciousEsquele StealerBrowse
                  • 185.199.108.133
                  Customer.exeGet hashmaliciousXWormBrowse
                  • 185.199.111.133
                  Solara Bootstrapper.exeGet hashmaliciousUnknownBrowse
                  • 185.199.109.133

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  FASTLYUSPDF-523.msiGet hashmaliciousAteraAgentBrowse
                  • 199.232.210.172
                  http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/Get hashmaliciousUnknownBrowse
                  • 199.232.192.193
                  https://heuristic-knuth-588d37.netlify.app/?naps/Get hashmaliciousHTMLPhisherBrowse
                  • 199.232.192.193
                  https://terrific-metal-countess.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                  • 151.101.129.44
                  http://procustodiavalueslive.github.io/mediantime1db1d62ef90e6fec5644546bc086f16336d68481479f56e29285a338fc23/Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                  • 185.199.110.153
                  https://adopt0098.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                  • 151.101.130.137
                  https://marketing-campaign-solution.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                  • 151.101.2.137
                  https://pub-ce1f93897bdf44e9b1cd99ad0325c570.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 151.101.194.137
                  https://muhammadsaadofficial390.github.io/s1Get hashmaliciousHTMLPhisherBrowse
                  • 185.199.108.153
                  https://darkened-chalk-system-noolrgfa.glitch.me/Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                  • 151.101.2.137

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  3b5074b1b5d032e5620f69f9f700ff0ec2.htaGet hashmaliciousUnknownBrowse
                  • 185.199.110.133
                  E6wUHnV51P.exeGet hashmaliciousDCRatBrowse
                  • 185.199.110.133
                  resembleC2.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                  • 185.199.110.133
                  c1.htaGet hashmaliciousUnknownBrowse
                  • 185.199.110.133
                  http://www.grhga.icu/Get hashmaliciousUnknownBrowse
                  • 185.199.110.133
                  http://keystonerelated.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                  • 185.199.110.133
                  https://telegrams-mc.org/Get hashmaliciousUnknownBrowse
                  • 185.199.110.133
                  http://metamaeskloegin.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                  • 185.199.110.133
                  http://www.www-support-com.info/fmicode/code.phpGet hashmaliciousUnknownBrowse
                  • 185.199.110.133
                  http://m.escritoresunidos.com/Get hashmaliciousUnknownBrowse
                  • 185.199.110.133

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aKmuNxOVRW.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1019
                  Entropy (8bit):5.334408101546384
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84D8mE4qpsXE4qdKm:MIHK5HKH1qHiYHKh3ogvD8mHpHA
                  MD5:1E2972F586E5ED70EE8CAA7A54EC02C8
                  SHA1:F3E2EB8EA380E8F5F2B98DA78FC74CD9FDCD0D3F
                  SHA-256:CA3B2A253FFE455D171E6A56DE43A0AD5F6693031F5E7571BBE12F066D8A6826
                  SHA-512:414E3F5B11027D2880822D87CD0EA22FAA3CF3700FD9D329B9A47B00A5385B19E1FEDCCD73A372A0961B466FD0DAD481628788D5BAE02AFD4432384FE78BE08D
                  Malicious:false
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Man

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sZSXKXOnBw.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\sZSXKXOnBw.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1019
                  Entropy (8bit):5.334408101546384
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84D8mE4qpsXE4qdKm:MIHK5HKH1qHiYHKh3ogvD8mHpHA
                  MD5:1E2972F586E5ED70EE8CAA7A54EC02C8
                  SHA1:F3E2EB8EA380E8F5F2B98DA78FC74CD9FDCD0D3F
                  SHA-256:CA3B2A253FFE455D171E6A56DE43A0AD5F6693031F5E7571BBE12F066D8A6826
                  SHA-512:414E3F5B11027D2880822D87CD0EA22FAA3CF3700FD9D329B9A47B00A5385B19E1FEDCCD73A372A0961B466FD0DAD481628788D5BAE02AFD4432384FE78BE08D
                  Malicious:true
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Man

                  C:\Users\user\AppData\Local\Temp\DS-Digital.ttf

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:TrueType Font data, 15 tables, 1st "OS/2", 21 names, Unicode
                  Category:dropped
                  Size (bytes):24448
                  Entropy (8bit):6.021815002677403
                  Encrypted:false
                  SSDEEP:384:vGghlfJ9PrivEdmCn9C3SOEt6zV62qvH+h7jf43W8TUZw0MvH+h7jf43W8TUZhwK:lrikmC9CCOEt6z/qvH+h7r4G8TIw0Mvg
                  MD5:63F874D192FB3892D88D5E26F942B5E2
                  SHA1:1CE1ED312B41A237CB253C706290C0FD7287859D
                  SHA-256:87EB14D41EEEAC0BD7FE0C62ECE05134BBF1EE8059B6E3E701D7F4A7799506DC
                  SHA-512:ACEA89E459D5EDB937056E86D1E9ACC430206957B7DB98C67AA0D629013BF8F626E29684199D86F712CAED6E3F265A984E0EEFD6E33E7FF3DB77057720AB7F5C
                  Malicious:false
                  Preview:.......0....OS/2...l..X0...NPCLT..Cv..X....6cmapv."/..T....<cvt ......W....Lfpgm.\........dglyfvS.5......KVhdmx&.T`..X.....head..........6hhea.x.L...4...$hmtx.;....V<....loca..h...Q\....maxp._.....X... nameD.....x...upost.]....S.....prepZ......T................_.<....L....6.......6......E.......................8...........................j.....j.R...........@.....d.......................Y......................./.........P.c.....................X............._.........Y.........................).........(.;.....................,.............U...........Y......................./.........P.c.....................X............._Font Typeface: DS-Digital. Created by Dusit Supasawat , DS-Font 1998. All Rights Reserved.F.o.n.t. .T.y.p.e.f.a.c.e.:. .D.S.-.D.i.g.i.t.a.l... .C.r.e.a.t.e.d. .b.y. .D.u.s.i.t. .S.u.p.a.s.a.w.a.t. .,. .D.S.-.F.o.n.t. .1.9.9.8... .A.l.l. .R.i.g.h.t.s. .R.e.s.e.r.v.e.dDS-Digital.D.S.-.D.i.g.i.t.a.lNormal.N.o.r.m.a.lDusit Supasawat: DS-Digital: Version 1.1.D.u.s.i.t.

                  C:\Users\user\Desktop\GADAR.lnk

                  Download File
                  Process:C:\Users\user\Desktop\sZSXKXOnBw.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Jan 12 14:00:18 2025, mtime=Sun Jan 12 14:00:21 2025, atime=Sun Jan 12 14:00:18 2025, length=40714240, window=hide
                  Category:dropped
                  Size (bytes):609
                  Entropy (8bit):5.173250243143804
                  Encrypted:false
                  SSDEEP:12:8mUAbhd/Q1qzYNbRLExnUUfIMjAYclZpUrtESkXIomVbJznJDJV:8m/3/QTnL+FfPAYclZSx1kmvnJDJV
                  MD5:58DBA063661127ECF9E345027FD18BD0
                  SHA1:12D5CDEB788120986A61E48E1A899FBB9046FD66
                  SHA-256:04CED2813F4B11252DBBE3425CC7CDDDA1718F2734E4155779A7FB9AEFD7BE94
                  SHA-512:AE4E2760224939E780E97DF4E436963F55B31567481F14FB3F7872F0EAB9662515CD0E26ECB1F9CF3A3E74EE41494AF489DA0671621BC0A6AC366EDF019C641A
                  Malicious:false
                  Preview:L..................F.... ........e..a.|..e...1..e...@m..........................P.O. .:i.....+00.:...:..,.LB.)...A&...&........*_........e...(..e....j.2..@m.,Z.x .AKMUNX~1.EXE..N......,Z.x,Z.x...........................(..a.K.m.u.N.x.O.V.R.W...e.x.e.......X...............-.......W...........[./......C:\Users\user\Desktop\aKmuNxOVRW.exe......\.a.K.m.u.N.x.O.V.R.W...e.x.e...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.D.e.s.k.t.o.p.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?............`.......X.......707748...........hT..CrF.f4... .../Tc...,......hT..CrF.f4... .../Tc...,..........

                  C:\Users\user\Desktop\Logs\Exlgs_1201202510002529.lg

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):119
                  Entropy (8bit):4.715370047475539
                  Encrypted:false
                  SSDEEP:3:OIviYQu9jLWUcFptZKdYrDxycUQu92lvKCtZKgJHMKw0Ovn:OI69uRTcFJKdKnJuKvKmKgJHMhvn
                  MD5:4D28721483943267D68E2B9FF16A0690
                  SHA1:2334F825D06D81687929D6EC5A845CACD2CB18A2
                  SHA-256:63CD9F4643DC403BED6B559FD81765B1A35820B8886DE20282E12450A1D4669A
                  SHA-512:FDDAA4C5E799B3837B054EC0429F663D0F64B6DE9F029D0DA809DC6311D354C343D757DD747F7E4CB0E7803D648E139C41BEA4266444C4E7F771CA24AD5F6025
                  Malicious:false
                  Preview:12-Jan-2025 10:00:39.319 : Program.Main : User Start NGET..12-Jan-2025 10:00:40.757 : Program.Main : Validation Start..

                  C:\Users\user\Desktop\SIKKA_V2.exe.config (copy)

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):534
                  Entropy (8bit):5.111063294208867
                  Encrypted:false
                  SSDEEP:12:TMHdG3VOcrg9LNFF7ap+5/Fw+uff/2/xFicYo4xT:2dErSPF7N/FwRfH2/L9y
                  MD5:4B14782CB47160B63EDB3A1374A75347
                  SHA1:0632CF59CF6ECF19847E241A81B8AE4EF4C41864
                  SHA-256:A5991E80A38E2AA164E09BEB42CB87F70936F04DFA59370B0DBCF633EECDA089
                  SHA-512:836A3F35EF5237BCE387E1B595DEF60D07E1A0C7D1A4B0BED3E12C3EB6E4AC44C2A492409581F8C19334BB7A5DEDBF885BE4E2C2FF74987630892B96EBDCCB5C
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="BouncyCastle.Crypto" publicKeyToken="0e99375e54769942" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-1.8.5.0" newVersion="1.8.5.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                  C:\Users\user\Desktop\SIKKA_V2.exe.config.tmp

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):534
                  Entropy (8bit):5.111063294208867
                  Encrypted:false
                  SSDEEP:12:TMHdG3VOcrg9LNFF7ap+5/Fw+uff/2/xFicYo4xT:2dErSPF7N/FwRfH2/L9y
                  MD5:4B14782CB47160B63EDB3A1374A75347
                  SHA1:0632CF59CF6ECF19847E241A81B8AE4EF4C41864
                  SHA-256:A5991E80A38E2AA164E09BEB42CB87F70936F04DFA59370B0DBCF633EECDA089
                  SHA-512:836A3F35EF5237BCE387E1B595DEF60D07E1A0C7D1A4B0BED3E12C3EB6E4AC44C2A492409581F8C19334BB7A5DEDBF885BE4E2C2FF74987630892B96EBDCCB5C
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="BouncyCastle.Crypto" publicKeyToken="0e99375e54769942" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-1.8.5.0" newVersion="1.8.5.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                  C:\Users\user\Desktop\aKmuNxOVRW.exe

                  Download File
                  Process:C:\Users\user\Desktop\sZSXKXOnBw.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):40714240
                  Entropy (8bit):7.979590120899689
                  Encrypted:false
                  SSDEEP:786432:FYXQkw++7HaRK+qjAnv7aXWFOJRD600LPGiH72CujWDhgPwlm5v1npyDu:FcdYEK++An2WFOJRD600LPGiHpfhgPw6
                  MD5:7E9BB4D78101740566C64724C56573B9
                  SHA1:5CF8BA12AF98C1F0B90AB15CFECC1FC5F3241372
                  SHA-256:90BFCE53578F6F532E9947668112EEAB461ACC176F499FEEC880A9326815214E
                  SHA-512:C240FFD40007CE2D67E72BC52C0B3348E1C07B3B2A340543781363617690E5607D6D0CFAB2BB7DB57AA895081C817DC2A550CF2929040EBFA2AACB67FB76E86D
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 42%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.,f..........#..........0L.............. ....@..........................pm.....T.m.............................................. 6..M7.........................................................H...@............ ..@............................text...@........................... ..`.rdata....... ....... ..............@..@.data....}.......P..................@....GS.....`....0...................... ..`.rsrc....M7.. 6..P7...5.............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\Desktop\config.dll

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:Zip archive data, at least v1.0 to extract, compression method=store
                  Category:dropped
                  Size (bytes):7116310
                  Entropy (8bit):7.997425165063183
                  Encrypted:true
                  SSDEEP:196608:eXwPdMUhJaA7RNN8VDMwxK6P7+Wc1yw1ZI25bxVS:eAV7oAyVDzxKMiUYxpxo
                  MD5:ACFC66BDC0874B0B5AA95AA4B704EE5A
                  SHA1:780A2408B52ED2B9D24867440C8B9EE9FDF301CF
                  SHA-256:BBA273900F9564A3AF9DCEDF90E43F5960A431F56927B68F5D0C29E833C64ED6
                  SHA-512:8836FE397E72030CADC9D78C7C7DC0B2AC5125B0B5ABB12256F65C4F8B37A5CBAF29D149E3B00687FF278E2A091CCD034A6FFAB3C3C1AF44A0F3EC02D5428E45
                  Malicious:false
                  Preview:PK........Y.7V................x86/PK...........N...l.....0......x86/SQLite.Interop.dll.}|T.0|f.L2!.......A. ...8.&.h.N..!.$.B../.....$.L.d;.V}..j+Eo..Z|...8I0_"..j......N..1. .k.sf.....y..7?.g......k......o......_Q8n...eq..........|<}.n..../}hc.....l.O.M~.'.=.....u.....z,y.}..G._.nn\...D.K........~sM.........`......n#.....}~......./....G.7.......a..G.+W......,.z.Mp:8n...;....q..~z....&Z9n...==...ri..?z..R..}.....3.O...,.+..Q.......g..m...e`d'|M..=c...v..1...$G...3r..O.....\a.....'XU.....<...f.?.~.q...U.k.;.:"_....f.:........'.|?_p..J.Z...vaD....W..5w..........7...q.|..y.2b.a_q...}M.....w.?eV.<.U......Ma.d.&0....X...`.".f07..K....e.u2.~.>..5.]..R.>.........[.[..*.V3.i.ng.s.}A.......].}...........s..=..&..fn+s?a.I.v2.,s)s.....^.;.\...3..\3..8..1....B....0.+I..S.30.hR....4..Jb.x.J.....C.... H.....9....^}..7.L..c..MF71..)......i.....E..7.}......,.}n......kc...........8L;.`.wr@Q...!..h..L.9.B..dp..Fc.K.Fc......r... .......2c.....pi.|..~>.(....^..rZ7LV...!

                  C:\Users\user\Desktop\config.zip

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:Zip archive data, at least v1.0 to extract, compression method=store
                  Category:dropped
                  Size (bytes):7116310
                  Entropy (8bit):7.997425165063183
                  Encrypted:true
                  SSDEEP:196608:eXwPdMUhJaA7RNN8VDMwxK6P7+Wc1yw1ZI25bxVS:eAV7oAyVDzxKMiUYxpxo
                  MD5:ACFC66BDC0874B0B5AA95AA4B704EE5A
                  SHA1:780A2408B52ED2B9D24867440C8B9EE9FDF301CF
                  SHA-256:BBA273900F9564A3AF9DCEDF90E43F5960A431F56927B68F5D0C29E833C64ED6
                  SHA-512:8836FE397E72030CADC9D78C7C7DC0B2AC5125B0B5ABB12256F65C4F8B37A5CBAF29D149E3B00687FF278E2A091CCD034A6FFAB3C3C1AF44A0F3EC02D5428E45
                  Malicious:false
                  Preview:PK........Y.7V................x86/PK...........N...l.....0......x86/SQLite.Interop.dll.}|T.0|f.L2!.......A. ...8.&.h.N..!.$.B../.....$.L.d;.V}..j+Eo..Z|...8I0_"..j......N..1. .k.sf.....y..7?.g......k......o......_Q8n...eq..........|<}.n..../}hc.....l.O.M~.'.=.....u.....z,y.}..G._.nn\...D.K........~sM.........`......n#.....}~......./....G.7.......a..G.+W......,.z.Mp:8n...;....q..~z....&Z9n...==...ri..?z..R..}.....3.O...,.+..Q.......g..m...e`d'|M..=c...v..1...$G...3r..O.....\a.....'XU.....<...f.?.~.q...U.k.;.:"_....f.:........'.|?_p..J.Z...vaD....W..5w..........7...q.|..y.2b.a_q...}M.....w.?eV.<.U......Ma.d.&0....X...`.".f07..K....e.u2.~.>..5.]..R.>.........[.[..*.V3.i.ng.s.}A.......].}...........s..=..&..fn+s?a.I.v2.,s)s.....^.;.\...3..\3..8..1....B....0.+I..S.30.hR....4..Jb.x.J.....C.... H.....9....^}..7.L..c..MF71..)......i.....E..7.}......,.}n......kc...........8L;.`.wr@Q...!..h..L.9.B..dp..Fc.K.Fc......r... .......2c.....pi.|..~>.(....^..rZ7LV...!

                  C:\Users\user\Desktop\x64\SQLite.Interop.dll (copy)

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                  Category:dropped
                  Size (bytes):1625088
                  Entropy (8bit):6.529811892106442
                  Encrypted:false
                  SSDEEP:49152:H+PCM/q8roxO/scjdY7mrGsyCuB5SDdrzYC:H+JZEwB
                  MD5:A0D07D0E354C7760497EF7EA6227B937
                  SHA1:10CFC3FF37B8B492A2130D1CDA2CCFA8788A9650
                  SHA-256:F39FC4D52B3E9E1A8D30FB8E2FFD320C1B54A5D5C5AD2444E57F0B3642CDC05E
                  SHA-512:908C234CB616EDC87A76D9153A6DA8F2A1013C477602EC2068DC598592CD1355569F42989B1F4B29AB43F9DDE3912DBFD9BFB01EAEDBF6960277D629F75E24EB
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O..7...d...d...d.i.d...d.i.d...d.i.d(..d0..e...d0..e...d0..e...d..=d...d...d...d...e...d...e...d...d...d...e...dRich...d........PE..d......\.........." .....~...J............................................... ............`.........................................@6..81..xg..<.......<.......@...............$.......p...........................p................................................text....}.......~.................. ..`.rdata..............................@..@.data....M.......6...h..............@....pdata..@...........................@..@.gfids..............................@..@.rsrc...<...........................@..@.reloc..$...........................@..B........................................................................................................................................................................................................

                  C:\Users\user\Desktop\x64\SQLite.Interop.dll.tmp

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                  Category:dropped
                  Size (bytes):1625088
                  Entropy (8bit):6.529811892106442
                  Encrypted:false
                  SSDEEP:49152:H+PCM/q8roxO/scjdY7mrGsyCuB5SDdrzYC:H+JZEwB
                  MD5:A0D07D0E354C7760497EF7EA6227B937
                  SHA1:10CFC3FF37B8B492A2130D1CDA2CCFA8788A9650
                  SHA-256:F39FC4D52B3E9E1A8D30FB8E2FFD320C1B54A5D5C5AD2444E57F0B3642CDC05E
                  SHA-512:908C234CB616EDC87A76D9153A6DA8F2A1013C477602EC2068DC598592CD1355569F42989B1F4B29AB43F9DDE3912DBFD9BFB01EAEDBF6960277D629F75E24EB
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O..7...d...d...d.i.d...d.i.d...d.i.d(..d0..e...d0..e...d0..e...d..=d...d...d...d...e...d...e...d...d...d...e...dRich...d........PE..d......\.........." .....~...J............................................... ............`.........................................@6..81..xg..<.......<.......@...............$.......p...........................p................................................text....}.......~.................. ..`.rdata..............................@..@.data....M.......6...h..............@....pdata..@...........................@..@.gfids..............................@..@.rsrc...<...........................@..@.reloc..$...........................@..B........................................................................................................................................................................................................

                  C:\Users\user\Desktop\x64\leptonica-1.82.0.dll (copy)

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                  Category:dropped
                  Size (bytes):4168192
                  Entropy (8bit):6.666546959084921
                  Encrypted:false
                  SSDEEP:49152:AyeqkefPjBthD9lmJ/teqmlWjIBpSbVqS/hlpC5GiptUw2qv5Nan6hI7G2f7S5V:9NDPqBEWbq2qv7J
                  MD5:2813455700FB7C1BC09738CA56AE7DA7
                  SHA1:54DE0B23A10ACC5A97C61B00DBFEE9A4B4CE0A80
                  SHA-256:DFCB3E6ED0B16BC55BFDBCF53543CFE42A354B87C3E35BD3A95EEBF005D73E76
                  SHA-512:49C2D2F22DAADB2B3D60344C2B4B1387C79EE8DC56FDC3D9E023088F1A5A18469A220A499802C1AA58498FB3DCC0D070E6C9FEA9EEA470C072EB8F8D02B9E647
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.....uF..uF..uF...F..uF..tG..uF...F..uF..pG..uF..qG..uF..vG..uF..tG..uF..tF..uF..uF..uF..qG..uF..pG..uF..uG..uF...F..uF..wG..uFRich..uF................PE..d...}.hc.........." ...!.F)..X.......L).......................................?...........`.........................................p.;..*..h.=.,.....?.......=..4............?.p....W8..............................V8.@............`)..............................text....E)......F)................. ..`.rdata..$....`)......J).............@..@.data....[... =..T....=.............@....pdata...4....=..6...Z=.............@..@.rsrc.........?.......?.............@..@.reloc..p.....?.......?.............@..B........................................................................................................................................................................................................................

                  C:\Users\user\Desktop\x64\leptonica-1.82.0.dll.tmp

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                  Category:dropped
                  Size (bytes):4168192
                  Entropy (8bit):6.666546959084921
                  Encrypted:false
                  SSDEEP:49152:AyeqkefPjBthD9lmJ/teqmlWjIBpSbVqS/hlpC5GiptUw2qv5Nan6hI7G2f7S5V:9NDPqBEWbq2qv7J
                  MD5:2813455700FB7C1BC09738CA56AE7DA7
                  SHA1:54DE0B23A10ACC5A97C61B00DBFEE9A4B4CE0A80
                  SHA-256:DFCB3E6ED0B16BC55BFDBCF53543CFE42A354B87C3E35BD3A95EEBF005D73E76
                  SHA-512:49C2D2F22DAADB2B3D60344C2B4B1387C79EE8DC56FDC3D9E023088F1A5A18469A220A499802C1AA58498FB3DCC0D070E6C9FEA9EEA470C072EB8F8D02B9E647
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.....uF..uF..uF...F..uF..tG..uF...F..uF..pG..uF..qG..uF..vG..uF..tG..uF..tF..uF..uF..uF..qG..uF..pG..uF..uG..uF...F..uF..wG..uFRich..uF................PE..d...}.hc.........." ...!.F)..X.......L).......................................?...........`.........................................p.;..*..h.=.,.....?.......=..4............?.p....W8..............................V8.@............`)..............................text....E)......F)................. ..`.rdata..$....`)......J).............@..@.data....[... =..T....=.............@....pdata...4....=..6...Z=.............@..@.rsrc.........?.......?.............@..@.reloc..p.....?.......?.............@..B........................................................................................................................................................................................................................

                  C:\Users\user\Desktop\x64\tesseract50.dll (copy)

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                  Category:dropped
                  Size (bytes):2788352
                  Entropy (8bit):6.73983803697782
                  Encrypted:false
                  SSDEEP:49152:zEuBRPoTZPD1JvFQomLfqqzn1CKVnc235nlilIQ9O6/J:DY1rg1BFcU8T
                  MD5:446370B590A3C14E0FDA0A2029B8E6FA
                  SHA1:58D38C3E3ACC8FB6C9E6E540E5877F89E09B5272
                  SHA-256:DE4D04EC75095374D98F5DD7A60D14D7E2E0F76589DB693ECCF7AE658BE8CB2B
                  SHA-512:51E29A643DD9D873AD67BD73B0FA05D887E3D1F6914227AA20513F1CBF6CE58088F24AC228087CA4A4470D93558769369F0065CD409083A6F140E17D66935C25
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.2.9.\J9.\J9.\J0..J-.\J_..J8.\Jk.XK1.\Jk._K=.\Jk.YK%.\Jk.]K?.\J..]K;.\J-.]K<.\J9.]J..\J..YK..\J..\K8.\J...J8.\J..^K8.\JRich9.\J................PE..d.....a.........." ................4.........................................+...........`...........................................%..i..l.(.T.....*.......)..*............*..... .#.......................#.(...@.#.8...............h............................text............................... ..`.rdata..6U.......V..................@..@.data...hg...@)..4....).............@....pdata...*....)..,...P).............@..@.rsrc.........*......|*.............@..@.reloc........*......~*.............@..B................................................................................................................................................................................................................................

                  C:\Users\user\Desktop\x64\tesseract50.dll.tmp

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                  Category:dropped
                  Size (bytes):2788352
                  Entropy (8bit):6.73983803697782
                  Encrypted:false
                  SSDEEP:49152:zEuBRPoTZPD1JvFQomLfqqzn1CKVnc235nlilIQ9O6/J:DY1rg1BFcU8T
                  MD5:446370B590A3C14E0FDA0A2029B8E6FA
                  SHA1:58D38C3E3ACC8FB6C9E6E540E5877F89E09B5272
                  SHA-256:DE4D04EC75095374D98F5DD7A60D14D7E2E0F76589DB693ECCF7AE658BE8CB2B
                  SHA-512:51E29A643DD9D873AD67BD73B0FA05D887E3D1F6914227AA20513F1CBF6CE58088F24AC228087CA4A4470D93558769369F0065CD409083A6F140E17D66935C25
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.2.9.\J9.\J9.\J0..J-.\J_..J8.\Jk.XK1.\Jk._K=.\Jk.YK%.\Jk.]K?.\J..]K;.\J-.]K<.\J9.]J..\J..YK..\J..\K8.\J...J8.\J..^K8.\JRich9.\J................PE..d.....a.........." ................4.........................................+...........`...........................................%..i..l.(.T.....*.......)..*............*..... .#.......................#.(...@.#.8...............h............................text............................... ..`.rdata..6U.......V..................@..@.data...hg...@)..4....).............@....pdata...*....)..,...P).............@..@.rsrc.........*......|*.............@..@.reloc........*......~*.............@..B................................................................................................................................................................................................................................

                  C:\Users\user\Desktop\x86\SQLite.Interop.dll (copy)

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):1257472
                  Entropy (8bit):6.763508943930235
                  Encrypted:false
                  SSDEEP:24576:UkK4+7HQip0XnKcTN3N/qUIfAuGk/Zbqw3u3yRtQbp/l+rbtqSEAl:Z+7HJp06iDV6ZbJ3uPpdVSEa
                  MD5:20F57CDC2BBF1921AEAFC24A3550BAFB
                  SHA1:E20D2AD819B47F58EBEAC880BD10C04F2C7C368C
                  SHA-256:B1D183195F39D03573312CA6B232869B2D06B2DD9AFB8E7896F61EEE3EE87224
                  SHA-512:9A2F663DFA528CE5DD27DFAD3717F146FD7074DE30916C675488F7B4E718BF0AA0B5007B937FF1FA32ACDD7C7CB1B4166C5EF0744AA599370B01C33076429FD3
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.,.2...2...2..(.`..2..(.b..2..(.c..2...l.~.2...l.~.2...l.~.2..A.Z..2...2...2...l.~.2...l.~.2...ln..2...l.~.2..Rich.2..........PE..L......\...........!.........................0...............................p............@..........................V...1......<.......<.......................$....N..p............................O..@............0...............................text............................... ..`.rdata...c...0...d..................@..@.data............"..................@....gfids..............................@..@.rsrc...<...........................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................

                  C:\Users\user\Desktop\x86\SQLite.Interop.dll.tmp

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):1257472
                  Entropy (8bit):6.763508943930235
                  Encrypted:false
                  SSDEEP:24576:UkK4+7HQip0XnKcTN3N/qUIfAuGk/Zbqw3u3yRtQbp/l+rbtqSEAl:Z+7HJp06iDV6ZbJ3uPpdVSEa
                  MD5:20F57CDC2BBF1921AEAFC24A3550BAFB
                  SHA1:E20D2AD819B47F58EBEAC880BD10C04F2C7C368C
                  SHA-256:B1D183195F39D03573312CA6B232869B2D06B2DD9AFB8E7896F61EEE3EE87224
                  SHA-512:9A2F663DFA528CE5DD27DFAD3717F146FD7074DE30916C675488F7B4E718BF0AA0B5007B937FF1FA32ACDD7C7CB1B4166C5EF0744AA599370B01C33076429FD3
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.,.2...2...2..(.`..2..(.b..2..(.c..2...l.~.2...l.~.2...l.~.2..A.Z..2...2...2...l.~.2...l.~.2...ln..2...l.~.2..Rich.2..........PE..L......\...........!.........................0...............................p............@..........................V...1......<.......<.......................$....N..p............................O..@............0...............................text............................... ..`.rdata...c...0...d..................@..@.data............"..................@....gfids..............................@..@.rsrc...<...........................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................

                  C:\Users\user\Desktop\x86\leptonica-1.82.0.dll (copy)

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):3379712
                  Entropy (8bit):6.86501364649086
                  Encrypted:false
                  SSDEEP:49152:QPQ3LXmkoChDOtojwcyQc0Iq3jzfzGL+ON4Ge/MKFVsrpouf/xo7r2+gu:sQbXmkF/8+4SFqNfc
                  MD5:E62F9EF3DD31DF439FA2A37793B035DB
                  SHA1:14497CBF51B94AF3D89E7527B08E9199933F560C
                  SHA-256:1700330110ADA8E4F07FB063915E60E2B585AD87D9B1948093945E4645B66D08
                  SHA-512:11AE50C42B393DC8F2F19E75E50D348F186FCD4150F96B2564B3BF6D61C6230F14EAB0C61CDA10824735C5E0A44753D181B2932931D7EA4986C7ADCA2D12BD1F
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.D.[...[...[...#x..[..O ...[..O ...[..O ...[..O ...[...0...[...[..B[...[...[..A ..k[..A ..|[..A ...[..A ...[..A ...[..Rich.[..........................PE..L...M.hc...........!...!.."..........."......."...............................3...........@...........................0..*....1.,....02......................@2......0...............................0.@.............".$............................text...."......."................. ..`.rdata........".......".............@..@.data....T....1..P....1.............@....rsrc........02.......2.............@..@.reloc.......@2.......2.............@..B................................................................................................................................................................................................................................................................................

                  C:\Users\user\Desktop\x86\leptonica-1.82.0.dll.tmp

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):3379712
                  Entropy (8bit):6.86501364649086
                  Encrypted:false
                  SSDEEP:49152:QPQ3LXmkoChDOtojwcyQc0Iq3jzfzGL+ON4Ge/MKFVsrpouf/xo7r2+gu:sQbXmkF/8+4SFqNfc
                  MD5:E62F9EF3DD31DF439FA2A37793B035DB
                  SHA1:14497CBF51B94AF3D89E7527B08E9199933F560C
                  SHA-256:1700330110ADA8E4F07FB063915E60E2B585AD87D9B1948093945E4645B66D08
                  SHA-512:11AE50C42B393DC8F2F19E75E50D348F186FCD4150F96B2564B3BF6D61C6230F14EAB0C61CDA10824735C5E0A44753D181B2932931D7EA4986C7ADCA2D12BD1F
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.D.[...[...[...#x..[..O ...[..O ...[..O ...[..O ...[...0...[...[..B[...[...[..A ..k[..A ..|[..A ...[..A ...[..A ...[..Rich.[..........................PE..L...M.hc...........!...!.."..........."......."...............................3...........@...........................0..*....1.,....02......................@2......0...............................0.@.............".$............................text...."......."................. ..`.rdata........".......".............@..@.data....T....1..P....1.............@....rsrc........02.......2.............@..@.reloc.......@2.......2.............@..B................................................................................................................................................................................................................................................................................

                  C:\Users\user\Desktop\x86\tesseract50.dll (copy)

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):2336768
                  Entropy (8bit):6.894094251328808
                  Encrypted:false
                  SSDEEP:49152:cDrN2OaIP2WOIyZPQhd7aLcrmArnVaB8DqYv4W6rXoYO:cDrN2OaIP2ZIE4fCUmArnk+DqYQ
                  MD5:A87BA6AC613B8ECB5ED033E57B871E6F
                  SHA1:39F6C33B5E9CAE045854B711AF29FC4B916B79BF
                  SHA-256:7F4873CDB78B9CD18C069EAE434D38DD14E987531866463357CF51C016241820
                  SHA-512:8CAC87AAF7F7E335C82BBB4ADACDAF81DF9D36E719FD26A1B1E95F169134013677EA06202A3B9C5A3E02584D3CA6CD629AE34C6B8D70BD74FF2E2A2E6C474C7D
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q..................s......G.....G.....G.....G...................y......................Rich...........PE..L.....a...........!................<.........................................$...........@..........................$...S..xx".@.....#.......................#.H.......................................@............................................text............................... ..`.rdata..............................@..@.data....O...."..*....".............@....rsrc.........#.......".............@..@.reloc..H.....#.......".............@..B................................................................................................................................................................................................................................................................................................

                  C:\Users\user\Desktop\x86\tesseract50.dll.tmp

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):2336768
                  Entropy (8bit):6.894094251328808
                  Encrypted:false
                  SSDEEP:49152:cDrN2OaIP2WOIyZPQhd7aLcrmArnVaB8DqYv4W6rXoYO:cDrN2OaIP2ZIE4fCUmArnk+DqYQ
                  MD5:A87BA6AC613B8ECB5ED033E57B871E6F
                  SHA1:39F6C33B5E9CAE045854B711AF29FC4B916B79BF
                  SHA-256:7F4873CDB78B9CD18C069EAE434D38DD14E987531866463357CF51C016241820
                  SHA-512:8CAC87AAF7F7E335C82BBB4ADACDAF81DF9D36E719FD26A1B1E95F169134013677EA06202A3B9C5A3E02584D3CA6CD629AE34C6B8D70BD74FF2E2A2E6C474C7D
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q..................s......G.....G.....G.....G...................y......................Rich...........PE..L.....a...........!................<.........................................$...........@..........................$...S..xx".@.....#.......................#.H.......................................@............................................text............................... ..`.rdata..............................@..@.data....O...."..*....".............@....rsrc.........#.......".............@..@.reloc..H.....#.......".............@..B................................................................................................................................................................................................................................................................................................

                  C:\Windows\Fonts\DS-Digital.ttf

                  Download File
                  Process:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  File Type:TrueType Font data, 15 tables, 1st "OS/2", 21 names, Unicode
                  Category:dropped
                  Size (bytes):24448
                  Entropy (8bit):6.021815002677403
                  Encrypted:false
                  SSDEEP:384:vGghlfJ9PrivEdmCn9C3SOEt6zV62qvH+h7jf43W8TUZw0MvH+h7jf43W8TUZhwK:lrikmC9CCOEt6z/qvH+h7r4G8TIw0Mvg
                  MD5:63F874D192FB3892D88D5E26F942B5E2
                  SHA1:1CE1ED312B41A237CB253C706290C0FD7287859D
                  SHA-256:87EB14D41EEEAC0BD7FE0C62ECE05134BBF1EE8059B6E3E701D7F4A7799506DC
                  SHA-512:ACEA89E459D5EDB937056E86D1E9ACC430206957B7DB98C67AA0D629013BF8F626E29684199D86F712CAED6E3F265A984E0EEFD6E33E7FF3DB77057720AB7F5C
                  Malicious:false
                  Preview:.......0....OS/2...l..X0...NPCLT..Cv..X....6cmapv."/..T....<cvt ......W....Lfpgm.\........dglyfvS.5......KVhdmx&.T`..X.....head..........6hhea.x.L...4...$hmtx.;....V<....loca..h...Q\....maxp._.....X... nameD.....x...upost.]....S.....prepZ......T................_.<....L....6.......6......E.......................8...........................j.....j.R...........@.....d.......................Y......................./.........P.c.....................X............._.........Y.........................).........(.;.....................,.............U...........Y......................./.........P.c.....................X............._Font Typeface: DS-Digital. Created by Dusit Supasawat , DS-Font 1998. All Rights Reserved.F.o.n.t. .T.y.p.e.f.a.c.e.:. .D.S.-.D.i.g.i.t.a.l... .C.r.e.a.t.e.d. .b.y. .D.u.s.i.t. .S.u.p.a.s.a.w.a.t. .,. .D.S.-.F.o.n.t. .1.9.9.8... .A.l.l. .R.i.g.h.t.s. .R.e.s.e.r.v.e.dDS-Digital.D.S.-.D.i.g.i.t.a.lNormal.N.o.r.m.a.lDusit Supasawat: DS-Digital: Version 1.1.D.u.s.i.t.

                  \Device\ConDrv

                  Download File
                  Process:C:\Windows\SysWOW64\netsh.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):7
                  Entropy (8bit):2.2359263506290326
                  Encrypted:false
                  SSDEEP:3:t:t
                  MD5:F1CA165C0DA831C9A17D08C4DECBD114
                  SHA1:D750F8260312A40968458169B496C40DACC751CA
                  SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                  SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                  Malicious:false
                  Preview:Ok.....

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.979590120899689
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.62%
                  • Win32 Executable (generic) a (10002005/4) 49.57%
                  • Windows ActiveX control (116523/4) 0.58%
                  • InstallShield setup (43055/19) 0.21%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:sZSXKXOnBw.exe
                  File size:40'714'240 bytes
                  MD5:7e9bb4d78101740566c64724c56573b9
                  SHA1:5cf8ba12af98c1f0b90ab15cfecc1fc5f3241372
                  SHA256:90bfce53578f6f532e9947668112eeab461acc176f499feec880a9326815214e
                  SHA512:c240ffd40007ce2d67e72bc52c0b3348e1c07b3b2a340543781363617690e5607d6d0cfab2bb7db57aa895081c817dc2a550cf2929040ebfa2aacb67fb76e86d
                  SSDEEP:786432:FYXQkw++7HaRK+qjAnv7aXWFOJRD600LPGiH72CujWDhgPwlm5v1npyDu:FcdYEK++An2WFOJRD600LPGiHpfhgPw6
                  TLSH:8597128E2160D1F3FD83883AF26296997D617E45532394CFFB10325E97392E616B40BB
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.,f..........#..........0L.............. ....@..........................pm.....T.m....................................

                  File Icon

                  Icon Hash:0f33315c7871138f

                  Static PE Info

                  General

                  Entrypoint:0x43d9f9
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  DLL Characteristics:TERMINAL_SERVER_AWARE
                  Time Stamp:0x662CE760 [Sat Apr 27 11:54:08 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:2abab44f29387a768ac32ec5f31bee3f

                  Entrypoint Preview

                  Instruction
                  call 00007F44D4F06E8Dh
                  jmp 00007F44D4EFE77Ch
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  mov ecx, dword ptr [esp+04h]
                  test ecx, 00000003h
                  je 00007F44D4EFE986h
                  mov al, byte ptr [ecx]
                  add ecx, 01h
                  test al, al
                  je 00007F44D4EFE9B0h
                  test ecx, 00000003h
                  jne 00007F44D4EFE951h
                  add eax, 00000000h
                  lea esp, dword ptr [esp+00000000h]
                  lea esp, dword ptr [esp+00000000h]
                  mov eax, dword ptr [ecx]
                  mov edx, 7EFEFEFFh
                  add edx, eax
                  xor eax, FFFFFFFFh
                  xor eax, edx
                  add ecx, 04h
                  test eax, 81010100h
                  je 00007F44D4EFE94Ah
                  mov eax, dword ptr [ecx-04h]
                  test al, al
                  je 00007F44D4EFE994h
                  test ah, ah
                  je 00007F44D4EFE986h
                  test eax, 00FF0000h
                  je 00007F44D4EFE975h
                  test eax, FF000000h
                  je 00007F44D4EFE964h
                  jmp 00007F44D4EFE92Fh
                  lea eax, dword ptr [ecx-01h]
                  mov ecx, dword ptr [esp+04h]
                  sub eax, ecx
                  ret
                  lea eax, dword ptr [ecx-02h]
                  mov ecx, dword ptr [esp+04h]
                  sub eax, ecx
                  ret
                  lea eax, dword ptr [ecx-03h]
                  mov ecx, dword ptr [esp+04h]
                  sub eax, ecx
                  ret
                  lea eax, dword ptr [ecx-04h]
                  mov ecx, dword ptr [esp+04h]
                  sub eax, ecx
                  ret
                  push ebp
                  mov ebp, esp
                  sub esp, 20h
                  mov eax, dword ptr [ebp+08h]
                  push esi
                  push edi
                  push 00000008h
                  pop ecx
                  mov esi, 00452628h
                  lea edi, dword ptr [ebp-20h]
                  rep movsd
                  mov dword ptr [ebp-08h], eax
                  mov eax, dword ptr [ebp+0Ch]
                  test eax, eax
                  pop edi
                  mov dword ptr [ebp-04h], eax
                  pop esi

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x693100x104.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3620000x2374db0.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5f4480x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x520000x440.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x50a400x5100016ec38802287decd4bc23d69fc52a092False0.5337968991126543data6.7656997091833615IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x520000x1898e0x190001883c5c8e6ff2a036fe442f385831eaeFalse0.323076171875data5.19947779312424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x6b0000x137df80x135000791acd23cadf1ad6d6044b7f7ca4ff46False0.44402463845064727data6.63015819748243IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .GS.0x1a30000x1be1600x1bf0000cd68c92d404c165eb7c7f011622246cFalse0.9397016350321589data7.697127639688447IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x3620000x2374db00x2375000bee8a5182992c62a06167d30aaa0772aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0x3621780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.14657598499061913
                  RT_RCDATA0x3632200x2372acfdata0.9406948089599609
                  RT_GROUP_ICON0x26d5cf00x14data1.1
                  RT_VERSION0x26d5d040x352data0.4388235294117647
                  RT_MANIFEST0x26d60580xd57XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.39092240117130306

                  Imports

                  DLLImport
                  KERNEL32.dllFreeLibrary, Sleep, GetTickCount, InterlockedIncrement, InterlockedDecrement, SetLastError, HeapFree, GetProcessHeap, HeapReAlloc, HeapAlloc, InitializeCriticalSection, DeleteCriticalSection, FindResourceExA, GetUserDefaultUILanguage, GetCurrentProcessId, CompareStringW, CloseHandle, SetEvent, GetLastError, CompareStringA, WaitForSingleObject, lstrcpyW, GetSystemTimeAsFileTime, FindFirstFileW, FindClose, WriteFile, lstrcatW, SetFileTime, FormatMessageA, GetModuleFileNameW, CreateFileA, ReadFile, IsBadReadPtr, SetFilePointer, CreateEventA, GetModuleFileNameA, GetCurrentProcess, GetWindowsDirectoryA, GetVolumeInformationA, FlushInstructionCache, WriteConsoleW, SetEnvironmentVariableW, WriteConsoleA, FlushFileBuffers, SetStdHandle, GetStringTypeW, GetStringTypeA, QueryPerformanceCounter, GetCommandLineW, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetConsoleMode, GetConsoleCP, GetStartupInfoA, GetFileType, SetHandleCount, LCMapStringW, LCMapStringA, IsValidCodePage, GetOEMCP, GetCPInfo, GetTimeZoneInformation, GetCurrentThreadId, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetStdHandle, HeapCreate, VirtualFree, RtlUnwind, GetStartupInfoW, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, CreateThread, ResumeThread, ExitThread, GetSystemInfo, VirtualAlloc, GetThreadLocale, GetLocaleInfoA, GetACP, HeapSize, HeapDestroy, GetVersionExA, RaiseException, WideCharToMultiByte, lstrlenW, lstrcmpiW, SetEnvironmentVariableA, IsBadWritePtr, VirtualProtect, VirtualQuery, lstrcmpiA, MultiByteToWideChar, GlobalAlloc, ExitProcess, lstrcmpA, LoadLibraryA, GetProcAddress, LockResource, LoadResource, SizeofResource, FindResourceA, lstrcpyA, lstrlenA, GetModuleHandleA, InterlockedExchange, GlobalFree, GlobalUnlock, LeaveCriticalSection, GlobalLock, EnterCriticalSection, GetConsoleOutputCP
                  USER32.dllUnregisterClassA, ReleaseDC, GetWindowTextA, GetWindowRect, SetCursor, GetWindowLongA, LoadCursorA, GetSystemMetrics, SetWindowLongA, GetParent, GetCursorPos, GetDesktopWindow, MapWindowPoints, SetWindowPos, SendMessageA, SetForegroundWindow, ReleaseCapture, PostMessageA, BeginPaint, GetMessageA, TranslateMessage, DrawIcon, DispatchMessageA, LoadIconA, CreateDialogIndirectParamA, SetTimer, EndPaint, LoadStringA, SetClassLongA, KillTimer, DestroyWindow, EndDialog, PtInRect, GetDC, DrawEdge, InvalidateRect, GetClassNameA, PostQuitMessage, OffsetRect, TrackMouseEvent, LoadImageA, ScreenToClient, SetActiveWindow, GetWindowTextLengthA, IsDialogMessageA, SetWindowTextA, EnableWindow, GetActiveWindow, UpdateWindow, AdjustWindowRectEx, CallWindowProcA, CreateWindowExA, RegisterClassExA, DefWindowProcA, ShowWindow, SetFocus, TranslateAcceleratorA, DrawFocusRect, DrawTextA, SetCapture, MessageBoxA, wsprintfA, GetClientRect, FillRect
                  GDI32.dllDeleteObject, CreateDIBSection, CreateSolidBrush, LineTo, MoveToEx, CreatePen, CreateCompatibleBitmap, CreateFontIndirectA, CreateCompatibleDC, DeleteDC, TextOutA, GetObjectA, SetBkMode, GetStockObject, StretchBlt, SetDIBColorTable, GetDIBColorTable, SelectObject, BitBlt, GetTextExtentPointA, SetTextColor
                  ADVAPI32.dllRegQueryValueExA, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, RegSetValueExA
                  ole32.dllCoSetProxyBlanket, CoInitializeEx, CreateStreamOnHGlobal, CoCreateInstance
                  OLEAUT32.dllSafeArrayGetElement, SafeArrayGetLBound, SafeArrayGetUBound, GetErrorInfo, SafeArrayPutElement, SysAllocStringLen, VariantChangeType, VariantTimeToSystemTime, SystemTimeToVariantTime, SafeArrayDestroy, SysAllocString, SysFreeString, SysStringLen, SafeArrayCreateVector, SafeArrayAccessData, SafeArrayUnaccessData, VariantInit, VariantClear
                  SHLWAPI.dllStrRChrW
                  gdiplus.dllGdipDeleteGraphics, GdipGetImagePaletteSize, GdipGetImageGraphicsContext, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipGetImagePalette, GdipBitmapLockBits, GdipDisposeImage, GdipDrawImageI, GdipFree, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipBitmapUnlockBits, GdipAlloc
                  MSIMG32.dllTransparentBlt, AlphaBlend
                  iphlpapi.dllGetAdaptersInfo
                  VERSION.dllGetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 12, 2025 16:00:30.166363955 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:30.166413069 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.166480064 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:30.190296888 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:30.190320969 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.670650005 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.670748949 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:30.674416065 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:30.674436092 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.674793005 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.795279026 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:30.835335970 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.957294941 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.957484007 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.957540989 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:30.957576036 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.957659006 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.957742929 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.957779884 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:30.957789898 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.957870960 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:30.957879066 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.957950115 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.957999945 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:30.958009005 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.958098888 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.958182096 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.958184958 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:30.958214045 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:30.958256960 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:30.973035097 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:31.048166990 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:31.048248053 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:31.048266888 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:31.048358917 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:31.048424006 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:31.048433065 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:31.048523903 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:31.048573971 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:31.048582077 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:31.048687935 CET44349761185.199.110.133192.168.2.7
                  Jan 12, 2025 16:00:31.048739910 CET49761443192.168.2.7185.199.110.133
                  Jan 12, 2025 16:00:31.053955078 CET49761443192.168.2.7185.199.110.133

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 12, 2025 16:00:30.133116961 CET6195753192.168.2.71.1.1.1
                  Jan 12, 2025 16:00:30.140558958 CET53619571.1.1.1192.168.2.7

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jan 12, 2025 16:00:30.133116961 CET192.168.2.71.1.1.10x10c3Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jan 12, 2025 16:00:30.140558958 CET1.1.1.1192.168.2.70x10c3No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                  Jan 12, 2025 16:00:30.140558958 CET1.1.1.1192.168.2.70x10c3No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                  Jan 12, 2025 16:00:30.140558958 CET1.1.1.1192.168.2.70x10c3No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                  Jan 12, 2025 16:00:30.140558958 CET1.1.1.1192.168.2.70x10c3No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • raw.githubusercontent.com

                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.749761185.199.110.1334433892C:\Users\user\Desktop\aKmuNxOVRW.exe
                  TimestampBytes transferredDirectionData
                  2025-01-12 15:00:30 UTC110OUTGET /AYAAN1980/HtmlPDF/main/DS-DIGIT.TTF HTTP/1.1
                  Host: raw.githubusercontent.com
                  Connection: Keep-Alive
                  2025-01-12 15:00:30 UTC901INHTTP/1.1 200 OK
                  Connection: close
                  Content-Length: 24448
                  Cache-Control: max-age=300
                  Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                  Content-Type: application/octet-stream
                  ETag: "89bc54705259d3f2d32d84e9147123d7f2488f209e9d33e6848c46257a817326"
                  Strict-Transport-Security: max-age=31536000
                  X-Content-Type-Options: nosniff
                  X-Frame-Options: deny
                  X-XSS-Protection: 1; mode=block
                  X-GitHub-Request-Id: 50B0:EFC23:18EBD30:1BD1C96:6783D90E
                  Accept-Ranges: bytes
                  Date: Sun, 12 Jan 2025 15:00:30 GMT
                  Via: 1.1 varnish
                  X-Served-By: cache-ewr-kewr1740021-EWR
                  X-Cache: MISS
                  X-Cache-Hits: 0
                  X-Timer: S1736694031.847080,VS0,VE64
                  Vary: Authorization,Accept-Encoding,Origin
                  Access-Control-Allow-Origin: *
                  Cross-Origin-Resource-Policy: cross-origin
                  X-Fastly-Request-ID: f25a7c15da12f5a7299a82d5de7a0a472aec2d96
                  Expires: Sun, 12 Jan 2025 15:05:30 GMT
                  Source-Age: 0
                  2025-01-12 15:00:30 UTC1378INData Raw: 00 01 00 00 00 0f 00 30 00 03 00 c0 4f 53 2f 32 98 88 81 6c 00 00 58 30 00 00 00 4e 50 43 4c 54 ab 1b 43 76 00 00 58 80 00 00 00 36 63 6d 61 70 76 b8 22 2f 00 00 54 00 00 00 02 3c 63 76 74 20 0b bc 11 d9 00 00 57 e4 00 00 00 4c 66 70 67 6d 98 5c dc a2 00 00 04 f0 00 00 00 64 67 6c 79 66 76 53 14 35 00 00 06 04 00 00 4b 56 68 64 6d 78 26 f2 54 60 00 00 58 b8 00 00 06 c8 68 65 61 64 d3 9d c6 7f 00 00 00 fc 00 00 00 36 68 68 65 61 03 78 07 4c 00 00 01 34 00 00 00 24 68 6d 74 78 18 3b c6 1a 00 00 56 3c 00 00 01 a8 6c 6f 63 61 00 0f 68 da 00 00 51 5c 00 00 01 ac 6d 61 78 70 01 5f 00 ef 00 00 01 58 00 00 00 20 6e 61 6d 65 44 e8 ad 07 00 00 01 78 00 00 03 75 70 6f 73 74 0c 5d 0b f7 00 00 53 08 00 00 00 f6 70 72 65 70 5a d5 ef f7 00 00 05 54 00 00 00 ad 00 01 00
                  Data Ascii: 0OS/2lX0NPCLTCvX6cmapv"/T<cvt WLfpgm\dglyfvS5KVhdmx&T`Xhead6hheaxL4$hmtx;V<locahQ\maxp_X nameDxupost]SprepZT
                  2025-01-12 15:00:30 UTC1378INData Raw: 45 01 8d b8 01 ff 85 76 45 68 44 18 b3 02 0b 46 00 2b b3 03 00 46 00 2b b3 04 01 46 00 2b b3 05 0b 46 00 2b b3 06 00 46 00 2b b3 07 01 46 00 2b b3 08 0f 46 00 2b b3 09 01 46 00 2b b3 0a 00 46 00 2b b3 0c 01 46 00 2b b3 0d 0b 46 00 2b b3 0e 01 46 00 2b b3 10 0f 46 00 2b b3 11 0f 46 00 2b b3 12 0b 46 00 2b b3 13 0b 46 00 2b b3 14 01 46 00 2b b3 15 01 46 00 2b b3 16 0f 46 00 2b b3 17 01 46 00 2b b3 18 01 46 00 2b b3 19 0b 46 00 2b 45 68 44 45 68 44 45 68 44 45 68 44 45 68 44 00 00 00 00 02 00 22 00 00 02 04 03 84 00 03 00 07 00 3d 40 1b 07 04 1b 00 06 05 1b 01 05 04 1a 03 02 07 06 1a 01 00 02 01 06 03 00 0b 01 00 46 76 2f 37 18 00 3f 3c 3f 3c 01 2f 3c fd 3c 2f 3c fd 3c 00 10 fd 3c 10 fd 3c 31 30 b2 08 00 05 2b 33 11 21 11 27 11 21 11 22 01 e2 22 fe 62 03 84
                  Data Ascii: EvEhDF+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+EhDEhDEhDEhDEhD"=@Fv/7?<?</<</<<<<10+3!'!""b
                  2025-01-12 15:00:30 UTC1378INData Raw: 01 12 2b 2b 1a 2d 29 24 1d 03 18 1a 27 26 1b 03 1a 0f 0e 09 03 08 1a 11 0c 0b 03 06 05 04 00 20 1f 0b 01 1a 46 76 2f 37 18 00 3f 3c 3f 3c 01 2f 17 3c fd 17 3c 2f 17 3c fd 17 3c 2f fd 10 d6 00 3f 3c 3c fd 3c 3c 10 fd 3c 10 fd 3c 3f d6 10 fd 3f 3c d6 3c 01 11 12 39 11 12 39 11 12 39 11 12 39 11 12 39 00 11 12 39 11 12 39 10 3c 11 12 39 00 2e 01 2e 2e 2e 31 30 b2 2e 1a 05 2b 01 07 23 27 37 33 13 07 27 35 37 17 11 07 27 35 37 17 27 07 21 27 37 21 25 07 27 35 37 17 01 07 23 27 37 33 25 07 27 35 37 17 25 27 37 17 01 ac 25 f3 25 25 f3 58 1b 2f 25 25 25 25 2f 1b 29 26 fe fb 25 25 01 05 fe f7 2f 1c 25 26 01 25 25 f3 25 25 f3 ff 00 26 25 1c 2f 01 70 26 26 25 02 97 26 26 25 fe cc 1c 2f 45 26 26 fe 79 26 26 c8 2f 1d 2b 25 25 25 18 2f 1c db 26 26 fd c2 25 25 26 0e 26
                  Data Ascii: ++-)$'& Fv/7?<?</<</<</?<<<<<<??<<9999999<9....10.+#'73'57'57'!'7!%'57#'73%'57%'7%%%X/%%%%/)&%%/%&%%%%&%/p&&%&&%/E&&y&&/+%%%/&&%%&&
                  2025-01-12 15:00:30 UTC1378INData Raw: 00 04 01 d6 02 c3 00 04 00 09 00 34 40 12 09 05 03 02 06 1a 08 00 01 07 07 01 07 00 5d 01 0b 78 00 76 3f 76 3f 18 00 87 2e 0e c4 0e c4 0e c4 0e fc 0e c4 0e c4 0e c4 00 2e 31 30 b2 0a 02 05 2b 13 03 27 3f 01 27 3f 01 03 07 f6 b6 1c 88 3f 03 87 67 b7 26 01 40 fe c4 66 ea 12 58 ea 1b fe c6 0b 00 00 06 00 3c 00 00 01 df 02 bc 00 04 00 08 00 0d 00 12 00 16 00 1b 00 79 40 3d 14 13 08 05 18 01 00 02 0a 09 0b 0a 01 1a 11 15 0e 1b 1c 00 19 0e 07 06 1b 05 16 15 1b 13 1b 17 0d 03 09 1a 19 18 0c 03 0b 10 0f 03 03 02 1a 12 0e 04 03 00 08 05 00 14 13 0b 01 0b 46 76 2f 37 18 00 3f 3c 3f 3c 01 2f 17 3c fd 17 3c 2f 17 3c fd 17 3c 00 10 fd 3c 10 fd 3c 3f d6 10 fd 3f 3c d6 3c 01 11 12 39 11 12 39 00 2e 01 2e 2e 2e 2e 31 30 b2 1c 0b 05 2b 01 07 27 35 37 27 07 23 27 13 07 27
                  Data Ascii: 4@]xv?v?..10+'?'??g&@fX<y@=Fv/7?<?</<</<<<<??<<99.....10+'57'#''
                  2025-01-12 15:00:30 UTC1378INData Raw: 37 33 25 15 07 11 37 27 11 17 15 07 05 11 27 35 37 27 17 07 21 27 37 01 d1 4a f3 4a 01 87 fe 79 4a f3 ff 00 4b 1c 1c 4b 2f 01 87 4a 2f 34 26 26 fe fb 25 25 02 bc 4b 4b fd 44 4b d6 c8 4b 01 25 1d 38 01 26 4b c8 2f 39 fe db 4b c8 2f 33 25 25 25 25 00 03 00 4a 00 0e 01 df 02 bc 00 03 00 08 00 0d 00 47 40 20 03 00 08 04 06 0d 08 15 02 01 1b 00 0a 09 07 03 06 1a 0c 0b 05 03 04 03 00 00 05 0d 78 01 03 46 76 2f 37 18 00 76 3f 18 3f 3c 01 2f 17 3c fd 17 3c 00 10 fd 3c 3f d6 01 11 12 39 01 2e 2e 31 30 b2 0e 03 05 2b 01 07 23 27 01 11 27 35 37 27 35 37 11 07 01 d1 4a f3 4a 01 95 4a 2f 2f 4a 1b 02 bc 4b 4b fe 77 fe db 4b c8 2f 4b c8 4b fe da 1c 00 07 00 3c 00 00 01 df 02 bc 00 03 00 07 00 0c 00 11 00 16 00 1b 00 21 00 8b 40 46 20 05 04 03 00 13 1d 1c 1e 16 12 14 0c
                  Data Ascii: 73%7''57'!'7JJyJKK/J/4&&%%KKDKK%8&K/9K/3%%%%JG@ xFv/7v??</<<<?9..10+#''57'57JJJ//JKKwK/KK<!@F
                  2025-01-12 15:00:30 UTC1378INData Raw: 1a 09 05 2b 01 07 27 35 37 17 27 07 21 27 21 01 07 11 37 17 25 17 07 21 27 37 03 23 15 33 01 df 1b 2f 25 25 33 25 ff 00 4b 01 4b ff 00 4b 1c 2f 01 09 26 26 fe fb 25 25 04 4b 4b 01 88 1c 2f c8 26 26 34 26 4b fd 9d 4b 01 25 1d 2f 62 25 25 25 25 fe 6f 4b 00 09 00 3c 00 00 02 3d 02 bc 00 04 00 09 00 0f 00 14 00 1a 00 1f 00 25 00 2b 00 31 00 00 01 07 27 35 37 27 07 21 27 37 05 07 21 27 37 21 13 27 35 37 17 05 07 27 35 37 17 01 21 27 37 33 25 07 27 35 37 17 07 37 17 15 07 27 17 27 37 21 17 07 02 3d 1c 2f 4b 0f 4a fe b0 25 25 01 7f 26 fe fb 25 25 01 05 50 4b 2f 1c fe 4a 2f 1c 25 26 01 a7 fe c3 25 25 f3 ff 00 26 25 1c 2f a8 1c 2f 26 25 58 25 25 01 84 25 25 02 01 1c 2f 4f 4b 0e 4b 26 25 e5 25 25 25 fe a7 4b ad 2e 1c 12 2f 1c db 26 26 fe 32 26 25 0e 25 25 bf 1c 2e
                  Data Ascii: +'57'!'!7%!'7#3/%%3%KKK/&&%%KK/&&4&KK%/b%%%%oK<=%+1'57'!'7!'7!'57'57!'73%'577''7!=/KJ%%&%%PK/J/%&%%&%//&%X%%%%/OKK&%%%%K./&&2&%%%.
                  2025-01-12 15:00:30 UTC1378INData Raw: 01 21 37 21 25 15 07 11 37 27 11 17 15 07 25 17 07 21 27 37 01 df 4a fe ff 4a 01 95 fe 6b 4a 01 01 fe f2 4b 1c 1c 4b 2f 01 38 26 26 fe fb 25 25 02 bc 4b 4b fd 44 4b d6 c8 4b 01 25 1d 38 01 26 4b c8 2f 17 25 25 25 25 00 04 00 3c 00 0e 01 df 02 bc 00 03 00 08 00 0d 00 13 00 5a 40 2a 12 03 00 0f 0e 10 08 04 06 0d 08 15 02 01 1b 00 13 0e 1b 11 10 0e 0c 0b 05 03 04 1a 0a 09 07 03 06 03 00 00 06 0d 78 01 06 46 76 2f 37 18 00 76 3f 18 3f 3c 01 2f 17 3c fd 17 3c 00 3f 3c fd 3c 10 fd 3c 3f d6 01 11 12 39 00 11 12 39 01 2e 2e 2e 31 30 b2 14 06 05 2b 01 07 21 27 13 15 07 11 37 27 11 17 15 07 25 17 07 21 27 37 01 df 4a fe ff 4a 3d 4b 1c 1c 4b 2f 01 38 26 26 fe fb 25 25 02 bc 4b 4b fe 65 c8 4b 01 25 1d 38 01 26 4b c8 2f 17 25 25 25 25 00 06 00 3c 00 00 01 df 02 bc 00
                  Data Ascii: !7!%7'%!'7JJkJKK/8&&%%KKDKK%8&K/%%%%<Z@*xFv/7v??</<<?<<<?99...10+!'7'%!'7JJ=KK/8&&%%KKeK%8&K/%%%%<
                  2025-01-12 15:00:30 UTC1378INData Raw: 00 3c 00 00 01 df 02 bc 00 03 00 08 00 0d 00 12 00 17 00 1d 00 89 40 43 00 0f 12 0e 10 19 1a 18 08 04 06 12 08 1c 17 0d 19 01 16 07 0e 02 01 1b 00 03 18 0c 0b 05 03 04 1a 06 14 13 11 03 10 1a 0e 0a 09 07 03 06 18 16 15 0f 03 0e 1a 1b 1a 1a 1d 18 03 00 00 06 0b 78 01 06 46 76 2f 37 18 00 76 3f 18 3f 3c 01 2f 3c fd 3c 10 dd 17 3c 10 dd 17 3c 31 10 fd 17 3c 10 fd 17 3c 10 d6 00 10 fd 3c 3f d6 10 d6 2f 3c 3c d6 3c 01 11 12 39 11 12 39 11 12 39 00 2e 01 2e 31 30 b2 1e 06 05 2b 01 07 23 27 13 15 07 11 37 27 11 17 15 07 05 11 27 35 37 27 35 37 11 07 27 37 17 15 07 27 01 d1 4a f3 4a 3d 4b 1c 1c 4b 2f 01 87 4a 2f 2f 4a 1b dc 25 26 26 25 02 bc 4b 4b fe 65 d6 4b 01 33 1d 38 01 26 4b c8 2f 39 fe cd 4b d6 2f 4b c8 4b fe da 1c cd 25 25 a7 26 26 00 00 05 00 3c 00 00 01
                  Data Ascii: <@CxFv/7v??</<<<<1<<<?/<<<999..10+#'7''57'57'7'JJ=KK/J//J%&&%KKeK38&K/9K/KK%%&&<
                  2025-01-12 15:00:30 UTC1378INData Raw: 03 00 0a 09 00 1a 19 11 0b 78 01 0d 46 76 2f 37 18 00 76 3f 3c 3c 18 3f 3c 01 2f 17 3c fd 3c 2f 17 3c fd 17 3c 10 d6 3c 00 3f 3c fd 3c 10 fd 3c 3f d6 10 d6 3c 3f d6 3c 87 2e 0e c4 0e fc 0e c4 01 11 12 39 11 12 39 11 12 39 00 11 12 39 11 12 39 01 2e 2e 31 30 b2 21 0d 05 2b 01 07 27 35 37 17 27 07 23 27 21 01 07 27 11 17 11 07 11 37 1f 01 35 33 17 15 23 03 17 07 21 27 37 01 df 1b 2f 25 25 33 25 f3 4a 01 3d ff 00 2f 1c 4b 4b 1c 2f 33 35 f0 35 1a 26 26 fe fb 25 25 01 88 1c 2f c8 26 26 34 26 4b fe df 2f 1c 01 26 4b fd e8 4b 01 33 1d 2f 30 35 f1 35 01 83 25 25 25 25 00 00 05 00 3c 00 00 01 df 02 bc 00 05 00 0b 00 11 00 17 00 1d 00 8e 40 43 1c 16 03 0a 00 04 01 19 18 1a 13 14 12 07 01 01 00 08 0a 00 08 14 10 10 0c 0e 0d 0c 0e 07 1b 1e 02 01 1b 04 15 14 1b 12 1b
                  Data Ascii: xFv/7v?<<?</<</<<<?<<<?<?<.99999..10!+'57'#'!'753#!'7/%%3%J=/KK/355&&%%/&&4&K/&KK3/055%%%%<@C
                  2025-01-12 15:00:30 UTC1378INData Raw: 3c d6 17 3c 00 87 2e 0e c4 0e c4 0e c4 0e fc 0e c4 0e c4 0e c4 87 2e 0e c4 0e c4 0e c4 0e fc 0e c4 0e c4 0e c4 00 2e 2e 01 2e 2e 2e 2e 31 30 b2 18 07 05 2b 01 35 37 33 15 03 23 03 35 33 17 1d 02 07 23 35 13 33 13 15 23 27 35 01 1c 98 2b 9d 68 9e 2b 98 98 2b 9e 67 9e 2b 98 01 6c 52 fe 49 fe f9 01 07 49 fe 52 1c 52 fe 49 01 07 fe f9 49 fe 52 00 05 00 3c 00 00 01 df 02 bc 00 04 00 09 00 0f 00 15 00 1b 00 74 40 37 1a 0e 09 17 16 18 0b 0c 0a 11 00 02 01 00 02 01 14 15 11 1b 1c 0d 0c 1b 0a 19 18 1b 1b 16 01 08 07 09 05 13 12 03 03 02 1a 15 10 04 03 00 04 00 5d 0f 0a 0b 01 05 46 76 2f 37 18 00 3f 3c 76 3f 18 01 2f 17 3c fd 17 3c 2f 3c d6 3c 00 3f 3c fd 3c 10 fd 3c 10 fd 3f d6 01 11 12 39 11 12 39 00 11 12 39 11 12 39 00 2e 01 2e 2e 31 30 b2 1c 05 05 2b 01 07 27
                  Data Ascii: <<........10+573#53#53#'5+h++g+lRIIRRIIR<t@7]Fv/7?<v?/<</<<?<<<?9999...10+'


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:2
                  Start time:10:00:13
                  Start date:12/01/2025
                  Path:C:\Users\user\Desktop\sZSXKXOnBw.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\sZSXKXOnBw.exe"
                  Imagebase:0x400000
                  File size:40'714'240 bytes
                  MD5 hash:7E9BB4D78101740566C64724C56573B9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:9
                  Start time:10:00:20
                  Start date:12/01/2025
                  Path:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\aKmuNxOVRW.exe" sZSXKXOnBw.exe
                  Imagebase:0x400000
                  File size:40'714'240 bytes
                  MD5 hash:7E9BB4D78101740566C64724C56573B9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 42%, ReversingLabs
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:13
                  Start time:10:00:31
                  Start date:12/01/2025
                  Path:C:\Users\user\Desktop\aKmuNxOVRW.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\aKmuNxOVRW.exe" "sZSXKXOnBw.exe"
                  Imagebase:0x400000
                  File size:40'714'240 bytes
                  MD5 hash:7E9BB4D78101740566C64724C56573B9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:14
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:"netsh" int tcp set heuristics disabled
                  Imagebase:0x1770000
                  File size:82'432 bytes
                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:15
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:"netsh" int tcp set global autotuninglevel=normal
                  Imagebase:0x1770000
                  File size:82'432 bytes
                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:16
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:17
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:"netsh" int tcp set global congestionprovider=ctcp
                  Imagebase:0x1770000
                  File size:82'432 bytes
                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:18
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:19
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:"netsh" int tcp set global ecncapability=default
                  Imagebase:0x1770000
                  File size:82'432 bytes
                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:20
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:21
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:"netsh" int tcp set global rss=enabled
                  Imagebase:0x1770000
                  File size:82'432 bytes
                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:22
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:23
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:"netsh" int tcp set global chimney=disabled
                  Imagebase:0x1770000
                  File size:82'432 bytes
                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:24
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:25
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:"netsh" int tcp set global dca=enabled
                  Imagebase:0x1770000
                  File size:82'432 bytes
                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:26
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:27
                  Start time:10:00:32
                  Start date:12/01/2025
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:"netsh" int tcp set global timestamps=disabled
                  Imagebase:0x7ff6fee10000
                  File size:82'432 bytes
                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:28
                  Start time:10:00:33
                  Start date:12/01/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:29
                  Start time:10:00:33
                  Start date:12/01/2025
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:"netsh" int tcp set global rsc=enabled
                  Imagebase:0x1770000
                  File size:82'432 bytes
                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:30
                  Start time:10:00:33
                  Start date:12/01/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff675630000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:31
                  Start time:10:00:33
                  Start date:12/01/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  Disassembly

                  No disassembly