Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sZSXKXOnBw.exe

Overview

General Information

Sample name:sZSXKXOnBw.exe
Analysis ID:1589483
MD5:7e9bb4d78101740566c64724c56573b9
SHA1:5cf8ba12af98c1f0b90ab15cfecc1fc5f3241372
SHA256:90bfce53578f6f532e9947668112eeab461acc176f499feec880a9326815214e
Tags:exeuser-mickeyftnt1
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Deletes itself after installation
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • sZSXKXOnBw.exe (PID: 6180 cmdline: "C:\Users\user\Desktop\sZSXKXOnBw.exe" MD5: 7E9BB4D78101740566C64724C56573B9)
    • vGgGSjuZNP.exe (PID: 2724 cmdline: "C:\Users\user\Desktop\vGgGSjuZNP.exe" sZSXKXOnBw.exe MD5: 7E9BB4D78101740566C64724C56573B9)
      • vGgGSjuZNP.exe (PID: 2020 cmdline: "C:\Users\user\Desktop\vGgGSjuZNP.exe" "sZSXKXOnBw.exe" MD5: 7E9BB4D78101740566C64724C56573B9)
      • netsh.exe (PID: 5344 cmdline: "netsh" int tcp set heuristics disabled MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 5952 cmdline: "netsh" int tcp set global autotuninglevel=normal MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 2496 cmdline: "netsh" int tcp set global congestionprovider=ctcp MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 6020 cmdline: "netsh" int tcp set global ecncapability=default MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 3916 cmdline: "netsh" int tcp set global rss=enabled MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 2692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 6568 cmdline: "netsh" int tcp set global chimney=disabled MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 1072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 5052 cmdline: "netsh" int tcp set global dca=enabled MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 2284 cmdline: "netsh" int tcp set global timestamps=disabled MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 6944 cmdline: "netsh" int tcp set global rsc=enabled MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Unpacked PEs

SourceRuleDescriptionAuthorStrings
2.3.vGgGSjuZNP.exe.b9c03cc.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    2.3.vGgGSjuZNP.exe.b9c03cc.0.raw.unpackINDICATOR_EXE_Packed_DNGuardDetects executables packed with DNGuardditekSHen
    • 0x6695cc:$s1: DNGuard Runtime library
    • 0x6696e6:$s1: DNGuard Runtime library
    • 0x669755:$s1: DNGuard Runtime library
    • 0x6697cb:$s2: [*=*]This application is expired ![*=*]
    0.3.sZSXKXOnBw.exe.b9b83cc.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      0.3.sZSXKXOnBw.exe.b9b83cc.0.raw.unpackINDICATOR_EXE_Packed_DNGuardDetects executables packed with DNGuardditekSHen
      • 0x6695cc:$s1: DNGuard Runtime library
      • 0x6696e6:$s1: DNGuard Runtime library
      • 0x669755:$s1: DNGuard Runtime library
      • 0x6697cb:$s2: [*=*]This application is expired ![*=*]
      8.3.vGgGSjuZNP.exe.b9b5dc4.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        Click to see the 7 entries

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeReversingLabs: Detection: 42%
        Multi AV Scanner detection for submitted file
        Source: sZSXKXOnBw.exeReversingLabs: Detection: 42%
        Source: sZSXKXOnBw.exeVirustotal: Detection: 54%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.6% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: sZSXKXOnBw.exeJoe Sandbox ML: detected
        Source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MThe remote name could not be resolved:5-----BEGIN PUBLIC KEY-----memstr_8a499e5c-8
        Source: sZSXKXOnBw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49739 version: TLS 1.2
        Source: Binary string: v:\builds\boxedapp\files\8cc2254f\src\boxedapp\bxsdk\obj\win32\release_full\boxedappsdkthunk\BoxedAppSDKThunk.pdb source: sZSXKXOnBw.exe
        Source: Binary string: v:\builds\boxedapp\files\8cc2254f\src\boxedapp\bxsdk\bin\release_full\bxsdk32.pdb source: sZSXKXOnBw.exe
        Source: Binary string: V:\builds\BoxedApp\files\8CC2254F\src\BoxedApp\bxsdk\obj\x86\Release_Full\BoxedAppSDK_AppDomainManager.pdb source: sZSXKXOnBw.exe
        Source: Binary string: C:\Users\MSI\Desktop\New folder (3)\Gadar 22 Nov _ 2\projBHIM\obj\Debug\net472\BhimAXIS.pdbSHA256 source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\dev\sqlite\dotnet\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: SQLite.Interop.dll.tmp.2.dr
        Source: Binary string: C:\Users\hpcou\Desktop\newSRC\MReget\obj\Debug\MReget.pdb source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: v:\builds\boxedapp\files\8cc2254f\src\boxedapp\bxsdk\obj\win32\release_full\tlssupport\TLSSupport.pdb source: sZSXKXOnBw.exe
        Source: Binary string: C:\Users\MSI\Desktop\New folder (3)\Gadar 22 Nov _ 2\projBHIM\obj\Debug\net472\BhimAXIS.pdb source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\dev\sqlite\dotnet\bin\2015\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: SQLite.Interop.dll.tmp0.2.dr

        Networking

        barindex
        Yara detected Generic Downloader
        Source: Yara matchFile source: 2.3.vGgGSjuZNP.exe.b9c03cc.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.sZSXKXOnBw.exe.b9b83cc.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.vGgGSjuZNP.exe.b9b5dc4.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.sZSXKXOnBw.exe.b9b6dc4.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.vGgGSjuZNP.exe.b9b73cc.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.3.vGgGSjuZNP.exe.b9bedc4.2.raw.unpack, type: UNPACKEDPE
        Source: global trafficHTTP traffic detected: GET /AYAAN1980/HtmlPDF/main/DS-DIGIT.TTF HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /AYAAN1980/HtmlPDF/main/DS-DIGIT.TTF HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
        Source: vGgGSjuZNP.exeString found in binary or memory: http://boxedapp.com/boxedappsdk/order.html
        Source: vGgGSjuZNP.exe, 00000008.00000003.1991964893.0000000002E0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://boxedapp.com/boxedappsdk/order.htmlOv
        Source: sZSXKXOnBw.exeString found in binary or memory: http://boxedapp.com/boxedappsdk/order.htmlS:(ML;;NW;;;LW)U
        Source: vGgGSjuZNP.exe, 00000002.00000003.1902434075.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w9
        Source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://npci.org/upi/schema/:
        Source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://npci.org/upi/schema/T
        Source: vGgGSjuZNP.exe, 00000002.00000003.1907648272.0000000010DB7000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1907750128.0000000010DBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: vGgGSjuZNP.exe, 00000002.00000003.1924339966.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924396855.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924687479.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
        Source: vGgGSjuZNP.exe, 00000002.00000003.1924339966.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924396855.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924687479.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924733518.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlNv
        Source: vGgGSjuZNP.exe, 00000002.00000003.1910749300.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918793128.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918943967.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919138079.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910304154.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919283166.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916007769.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919349007.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919005568.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918445771.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916508661.0000000010DBE000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918513745.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916101836.0000000010DBD000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: vGgGSjuZNP.exe, 00000002.00000003.1910304154.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910403668.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910506574.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1908816406.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comE
        Source: vGgGSjuZNP.exe, 00000002.00000003.1910749300.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918793128.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918943967.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919138079.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910304154.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919283166.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916007769.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919349007.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919005568.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919532272.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919614835.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918445771.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916508661.0000000010DBE000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918513745.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comK
        Source: vGgGSjuZNP.exe, 00000002.00000003.1910304154.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910403668.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910506574.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1908816406.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml-g
        Source: vGgGSjuZNP.exe, 00000002.00000003.1924339966.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924396855.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: vGgGSjuZNP.exe, 00000002.00000003.1918793128.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918943967.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919138079.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919005568.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918445771.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918513745.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919070905.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918573423.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919210882.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918382191.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918876130.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/
        Source: vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/T
        Source: vGgGSjuZNP.exe, 00000002.00000003.1925091652.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: vGgGSjuZNP.exe, 00000002.00000003.1924339966.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924396855.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: vGgGSjuZNP.exe, 00000002.00000003.1920157822.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersC
        Source: vGgGSjuZNP.exe, 00000002.00000003.1920157822.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920228941.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
        Source: vGgGSjuZNP.exe, 00000002.00000003.1920397638.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920157822.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920302589.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920228941.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com=
        Source: vGgGSjuZNP.exe, 00000002.00000003.1920397638.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920783959.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1921036219.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comFy
        Source: vGgGSjuZNP.exe, 00000002.00000003.1924733518.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comT
        Source: vGgGSjuZNP.exe, 00000002.00000003.1925091652.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com_C
        Source: vGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: vGgGSjuZNP.exe, 00000002.00000003.1920157822.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920228941.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comak
        Source: vGgGSjuZNP.exe, 00000002.00000003.1925698369.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comasTF
        Source: vGgGSjuZNP.exe, 00000002.00000003.1920397638.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920157822.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920302589.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920228941.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
        Source: vGgGSjuZNP.exe, 00000002.00000003.1920057121.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdp
        Source: vGgGSjuZNP.exe, 00000002.00000003.1925698369.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come
        Source: vGgGSjuZNP.exe, 00000002.00000003.1925091652.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comf
        Source: vGgGSjuZNP.exe, 00000002.00000003.1920783959.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1921036219.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgreta
        Source: vGgGSjuZNP.exe, 00000002.00000003.1924339966.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comituNv
        Source: vGgGSjuZNP.exe, 00000002.00000003.1920783959.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
        Source: vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coms-cz
        Source: vGgGSjuZNP.exe, 00000002.00000003.1925091652.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtaas1
        Source: vGgGSjuZNP.exe, 00000002.00000003.1920397638.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueak
        Source: vGgGSjuZNP.exe, 00000002.00000003.1924868940.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1925091652.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924733518.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueic
        Source: vGgGSjuZNP.exe, 00000002.00000003.1918793128.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918943967.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918445771.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918513745.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918573423.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918382191.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918876130.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comyp
        Source: vGgGSjuZNP.exe, 00000002.00000003.1920057121.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comywaaF
        Source: vGgGSjuZNP.exe, 00000002.00000003.1906507910.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1907161400.0000000010DAF000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1906885084.0000000010DAF000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1907003304.0000000010DBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: vGgGSjuZNP.exe, 00000002.00000003.1907161400.0000000010DAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: vGgGSjuZNP.exe, 00000002.00000003.1905578245.0000000010DAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/fS
        Source: vGgGSjuZNP.exe, 00000002.00000003.1906507910.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1906317740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnb-nB
        Source: vGgGSjuZNP.exe, 00000002.00000003.1906507910.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cns-e
        Source: vGgGSjuZNP.exe, 00000002.00000003.1906507910.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1906317740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-i
        Source: vGgGSjuZNP.exe, 00000002.00000003.1924868940.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: vGgGSjuZNP.exe, 00000002.00000003.1924868940.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/.
        Source: vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918382191.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918876130.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: vGgGSjuZNP.exe, 00000002.00000003.1918793128.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918445771.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918513745.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918573423.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918382191.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
        Source: vGgGSjuZNP.exe, 00000002.00000003.1916007769.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916196340.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1911418109.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
        Source: vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz1
        Source: vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1
        Source: vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
        Source: vGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/HM
        Source: vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Nv
        Source: vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
        Source: vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/PD
        Source: vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T
        Source: vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
        Source: vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0yp
        Source: vGgGSjuZNP.exe, 00000002.00000003.1916007769.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916196340.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1911418109.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
        Source: vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/1
        Source: vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918445771.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918513745.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918382191.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Nv
        Source: vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O
        Source: vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s8
        Source: vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/y
        Source: tesseract50.dll.tmp.2.dr, tesseract50.dll.tmp0.2.drString found in binary or memory: http://www.loc.gov/standards/alto/ns-v3#
        Source: vGgGSjuZNP.exe, 00000002.00000003.1924868940.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
        Source: vGgGSjuZNP.exe, 00000002.00000003.1910304154.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910403668.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1908816406.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
        Source: vGgGSjuZNP.exe, 00000002.00000003.1910304154.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1908816406.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comnt
        Source: vGgGSjuZNP.exe, 00000002.00000003.1901727753.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net
        Source: vGgGSjuZNP.exe, 00000002.00000003.1902696488.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1901727753.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1902434075.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1902852499.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1902168584.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netnet
        Source: vGgGSjuZNP.exe, 00000002.00000003.1901727753.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.neton
        Source: vGgGSjuZNP.exe, 00000002.00000003.1918793128.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918943967.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919005568.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918573423.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918818127.0000000010DC4000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918876130.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
        Source: vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918573423.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de.
        Source: vGgGSjuZNP.exe, 00000002.00000003.1918573423.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.dewap
        Source: vGgGSjuZNP.exe, 00000002.00000003.1907648272.0000000010DB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: vGgGSjuZNP.exe, 00000002.00000003.1907648272.0000000010DB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnt
        Source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mobile-rest.freecharge.in/rest/upi/v2/ar/balance-enquiry?fcAppType=android&fcChannel=3&fcver
        Source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pingupi.axisbank.co.in1/v1/healthcheck?version=#/v1/bind?data=
        Source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.irctc.co.in
        Source: SQLite.Interop.dll.tmp.2.dr, SQLite.Interop.dll.tmp0.2.drString found in binary or memory: https://www.sqlite.org/copyright.html2
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
        Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49739 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 2.3.vGgGSjuZNP.exe.b9c03cc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with DNGuard Author: ditekSHen
        Source: 0.3.sZSXKXOnBw.exe.b9b83cc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with DNGuard Author: ditekSHen
        Source: 8.3.vGgGSjuZNP.exe.b9b5dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with DNGuard Author: ditekSHen
        Source: 0.3.sZSXKXOnBw.exe.b9b6dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with DNGuard Author: ditekSHen
        Source: 8.3.vGgGSjuZNP.exe.b9b73cc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with DNGuard Author: ditekSHen
        Source: 2.3.vGgGSjuZNP.exe.b9bedc4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with DNGuard Author: ditekSHen
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Windows\Fonts\DS-Digital.ttfJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeCode function: 8_3_02E130088_3_02E13008
        Source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMReget.dll. vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBhimAXIS.dll2 vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: get_OriginalFilename vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000000.00000000.1745914129.000000000046B000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBoxedAppSDK_AppDomainManager.dllP vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000000.00000002.1838386183.000000000046D000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBoxedAppSDK_AppDomainManager.dllP vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000000.00000000.1745914129.0000000000576000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBoxedAppSDK.dll: vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exe, 00000000.00000002.1837758245.0000000000183000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDNRuntime.dll4 vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exeBinary or memory string: OriginalFilenameBoxedAppSDK_AppDomainManager.dllP vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exeBinary or memory string: OriginalFilenameBoxedAppSDK.dll: vs sZSXKXOnBw.exe
        Source: sZSXKXOnBw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
        Source: 2.3.vGgGSjuZNP.exe.b9c03cc.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_DNGuard author = ditekSHen, description = Detects executables packed with DNGuard
        Source: 0.3.sZSXKXOnBw.exe.b9b83cc.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_DNGuard author = ditekSHen, description = Detects executables packed with DNGuard
        Source: 8.3.vGgGSjuZNP.exe.b9b5dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_DNGuard author = ditekSHen, description = Detects executables packed with DNGuard
        Source: 0.3.sZSXKXOnBw.exe.b9b6dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_DNGuard author = ditekSHen, description = Detects executables packed with DNGuard
        Source: 8.3.vGgGSjuZNP.exe.b9b73cc.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_DNGuard author = ditekSHen, description = Detects executables packed with DNGuard
        Source: 2.3.vGgGSjuZNP.exe.b9bedc4.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_DNGuard author = ditekSHen, description = Detects executables packed with DNGuard
        Source: sZSXKXOnBw.exeBinary string: \??\UVMLite\??\Nsi\??\con\??\MountPointManager\??\CbFs3NrIoctl\??\PrlMiniRdrDN\Device\NETBT_TCPIP_\Device\LanmanDatagramReceiver\Device\RdpDr\Device\RasAcd\Device\WS2IFSL\Device\DeviceApi\\Device\KsecDD\Device\CNG\DosDevices\pipe\\Device\DfsClient\Device\Afd\Device\Csc\Device\Mailslot\\Device\NamedPipe\\??\pipe\
        Source: sZSXKXOnBw.exeBinary string: \Device\\??\UNC\??\Z:FullWriteCopyMergedNone
        Source: classification engineClassification label: mal96.troj.evad.winEXE@33/32@1/1
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeFile created: C:\Users\user\Desktop\GADAR.lnkJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_shared_env_mutex_00001824_00001834
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3492:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2692:120:WilError_03
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMutant created: NULL
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_process_list_mutex_00000aa4_00000a68
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_shared_env_mutex_000007e4_000003d4
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_process_list_mutex_000007e4_000003d4
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7172:120:WilError_03
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_process_list_mutex_00001824_00001834
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_global_shared_mem_000007e4_000003d4
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_shared_env_mutex_00000aa4_00000a68
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_03
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMutant created: \Sessions\1\BaseNamedObjects\bx_process_mutex_000007e4_000003d4_000007e4
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_global_shared_mem_00000aa4_00000a68
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMutant created: \Sessions\1\BaseNamedObjects\boxedapp_global_shared_mem_00001824_00001834
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMutant created: \Sessions\1\BaseNamedObjects\bx_process_mutex_00001824_00001834_00001824
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMutant created: \Sessions\1\BaseNamedObjects\bx_process_mutex_00000aa4_00000a68_00000aa4
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1072:120:WilError_03
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Users\user\AppData\Local\Temp\2Jump to behavior
        Source: sZSXKXOnBw.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.62%
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeWMI Queries: IWbemServices::ExecNotificationQuery - root\cimv2 : select * from Win32_ProcessStartTrace
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE TBL_UPI(RID integer PRIMARY KEY AUTOINCREMENT, MobNo varchar(15), UPIAdd varchar(15), RegiInfo varchar(50000), LoginInfo varchar(100000), AccInfo varchar(100000), TrnsInfo varchar(100000), SessInfo varchar(100000), TimeStamp varchar(50));
        Source: SQLite.Interop.dll.tmp.2.dr, SQLite.Interop.dll.tmp0.2.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: SQLite.Interop.dll.tmp.2.dr, SQLite.Interop.dll.tmp0.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
        Source: SQLite.Interop.dll.tmp.2.dr, SQLite.Interop.dll.tmp0.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
        Source: SQLite.Interop.dll.tmp.2.dr, SQLite.Interop.dll.tmp0.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
        Source: SQLite.Interop.dll.tmp.2.dr, SQLite.Interop.dll.tmp0.2.drBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: SQLite.Interop.dll.tmp.2.dr, SQLite.Interop.dll.tmp0.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
        Source: SQLite.Interop.dll.tmp.2.dr, SQLite.Interop.dll.tmp0.2.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
        Source: SQLite.Interop.dll.tmp.2.dr, SQLite.Interop.dll.tmp0.2.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
        Source: sZSXKXOnBw.exeReversingLabs: Detection: 42%
        Source: sZSXKXOnBw.exeVirustotal: Detection: 54%
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeFile read: C:\Users\user\Desktop\sZSXKXOnBw.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\sZSXKXOnBw.exe "C:\Users\user\Desktop\sZSXKXOnBw.exe"
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess created: C:\Users\user\Desktop\vGgGSjuZNP.exe "C:\Users\user\Desktop\vGgGSjuZNP.exe" sZSXKXOnBw.exe
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Users\user\Desktop\vGgGSjuZNP.exe "C:\Users\user\Desktop\vGgGSjuZNP.exe" "sZSXKXOnBw.exe"
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set heuristics disabled
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global autotuninglevel=normal
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global congestionprovider=ctcp
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global ecncapability=default
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global rss=enabled
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global chimney=disabled
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global dca=enabled
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global timestamps=disabled
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global rsc=enabled
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess created: C:\Users\user\Desktop\vGgGSjuZNP.exe "C:\Users\user\Desktop\vGgGSjuZNP.exe" sZSXKXOnBw.exeJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Users\user\Desktop\vGgGSjuZNP.exe "C:\Users\user\Desktop\vGgGSjuZNP.exe" "sZSXKXOnBw.exe"Jump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set heuristics disabledJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global autotuninglevel=normalJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global congestionprovider=ctcpJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global ecncapability=defaultJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global rss=enabledJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global chimney=disabledJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global dca=enabledJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global timestamps=disabledJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global rsc=enabledJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rtutils.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rtutils.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rtutils.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rtutils.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rtutils.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rtutils.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: sZSXKXOnBw.exeStatic file information: File size 40714240 > 1048576
        Source: sZSXKXOnBw.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x135000
        Source: sZSXKXOnBw.exeStatic PE information: Raw size of .GS. is bigger than: 0x100000 < 0x1bf000
        Source: sZSXKXOnBw.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2375000
        Source: Binary string: v:\builds\boxedapp\files\8cc2254f\src\boxedapp\bxsdk\obj\win32\release_full\boxedappsdkthunk\BoxedAppSDKThunk.pdb source: sZSXKXOnBw.exe
        Source: Binary string: v:\builds\boxedapp\files\8cc2254f\src\boxedapp\bxsdk\bin\release_full\bxsdk32.pdb source: sZSXKXOnBw.exe
        Source: Binary string: V:\builds\BoxedApp\files\8CC2254F\src\BoxedApp\bxsdk\obj\x86\Release_Full\BoxedAppSDK_AppDomainManager.pdb source: sZSXKXOnBw.exe
        Source: Binary string: C:\Users\MSI\Desktop\New folder (3)\Gadar 22 Nov _ 2\projBHIM\obj\Debug\net472\BhimAXIS.pdbSHA256 source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\dev\sqlite\dotnet\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: SQLite.Interop.dll.tmp.2.dr
        Source: Binary string: C:\Users\hpcou\Desktop\newSRC\MReget\obj\Debug\MReget.pdb source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: v:\builds\boxedapp\files\8cc2254f\src\boxedapp\bxsdk\obj\win32\release_full\tlssupport\TLSSupport.pdb source: sZSXKXOnBw.exe
        Source: Binary string: C:\Users\MSI\Desktop\New folder (3)\Gadar 22 Nov _ 2\projBHIM\obj\Debug\net472\BhimAXIS.pdb source: sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\dev\sqlite\dotnet\bin\2015\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: SQLite.Interop.dll.tmp0.2.dr
        Source: sZSXKXOnBw.exeStatic PE information: section name: .GS.
        Source: vGgGSjuZNP.exe.0.drStatic PE information: section name: .GS.
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeCode function: 2_2_0043DF5D push ecx; ret 2_2_0043DF70
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeCode function: 8_3_02E0E758 push edx; iretd 8_3_02E0E760
        Source: sZSXKXOnBw.exeStatic PE information: section name: .GS. entropy: 7.697127639688447
        Source: vGgGSjuZNP.exe.0.drStatic PE information: section name: .GS. entropy: 7.697127639688447
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Users\user\Desktop\x64\tesseract50.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Users\user\Desktop\x64\SQLite.Interop.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Users\user\Desktop\x86\tesseract50.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Users\user\Desktop\x64\SQLite.Interop.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Users\user\Desktop\x86\leptonica-1.82.0.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Users\user\Desktop\x86\SQLite.Interop.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeFile created: C:\Users\user\Desktop\vGgGSjuZNP.exeJump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Users\user\Desktop\x64\leptonica-1.82.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Users\user\Desktop\x64\tesseract50.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Users\user\Desktop\x64\leptonica-1.82.0.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Users\user\Desktop\x86\tesseract50.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Users\user\Desktop\x86\SQLite.Interop.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile created: C:\Users\user\Desktop\x86\leptonica-1.82.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\ParametersJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\ServiceProviderJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Deletes itself after installation
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeFile deleted: c:\users\user\desktop\szsxkxonbw.exeJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_LogicalDisk
        Tries to detect virtualization through RDTSC time measurements
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeRDTSC instruction interceptor: First address: 4038B7 second address: 4038F4 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, sp 0x00000005 mov byte ptr [esp+1Dh], FFFFFF84h 0x0000000a mov byte ptr [esp+1Eh], FFFFFFBFh 0x0000000f cmovb edx, eax 0x00000012 mov byte ptr [esp+1Fh], 00000019h 0x00000017 mov ecx, dword ptr [esp+1Ch] 0x0000001b mov al, 82h 0x0000001d cdq 0x0000001e movzx edx, si 0x00000021 mov dword ptr [esi+00000200h], ecx 0x00000027 cwd 0x00000029 setns al 0x0000002c push 00000100h 0x00000031 cmovle eax, ebx 0x00000034 mov byte ptr [esp+24h], 00000028h 0x00000039 mov byte ptr [esp+25h], bl 0x0000003d rdtsc
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeRDTSC instruction interceptor: First address: 661FC0 second address: 661FC9 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 mov ecx, dword ptr [esp+14h] 0x00000009 rdtsc
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeRDTSC instruction interceptor: First address: 4038B7 second address: 4038F4 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, sp 0x00000005 mov byte ptr [esp+1Dh], FFFFFF84h 0x0000000a mov byte ptr [esp+1Eh], FFFFFFBFh 0x0000000f cmovb edx, eax 0x00000012 mov byte ptr [esp+1Fh], 00000019h 0x00000017 mov ecx, dword ptr [esp+1Ch] 0x0000001b mov al, 82h 0x0000001d cdq 0x0000001e movzx edx, si 0x00000021 mov dword ptr [esi+00000200h], ecx 0x00000027 cwd 0x00000029 setns al 0x0000002c push 00000100h 0x00000031 cmovle eax, ebx 0x00000034 mov byte ptr [esp+24h], 00000028h 0x00000039 mov byte ptr [esp+25h], bl 0x0000003d rdtsc
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeRDTSC instruction interceptor: First address: 661FC0 second address: 661FC9 instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 mov ecx, dword ptr [esp+14h] 0x00000009 rdtsc
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMemory allocated: 47F0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMemory allocated: 4E10000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMemory allocated: 4830000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMemory allocated: 10600000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMemory allocated: 13600000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMemory allocated: 47A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMemory allocated: 5150000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMemory allocated: 4950000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMemory allocated: 47E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMemory allocated: 4F20000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeMemory allocated: 4DB0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeWindow / User API: threadDelayed 4443Jump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeDropped PE file which has not been started: C:\Users\user\Desktop\x64\tesseract50.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeDropped PE file which has not been started: C:\Users\user\Desktop\x64\SQLite.Interop.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeDropped PE file which has not been started: C:\Users\user\Desktop\x64\SQLite.Interop.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeDropped PE file which has not been started: C:\Users\user\Desktop\x86\tesseract50.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeDropped PE file which has not been started: C:\Users\user\Desktop\x86\leptonica-1.82.0.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeDropped PE file which has not been started: C:\Users\user\Desktop\x86\SQLite.Interop.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeDropped PE file which has not been started: C:\Users\user\Desktop\x64\leptonica-1.82.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeDropped PE file which has not been started: C:\Users\user\Desktop\x64\tesseract50.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeDropped PE file which has not been started: C:\Users\user\Desktop\x86\tesseract50.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeDropped PE file which has not been started: C:\Users\user\Desktop\x64\leptonica-1.82.0.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeDropped PE file which has not been started: C:\Users\user\Desktop\x86\SQLite.Interop.dll.tmpJump to dropped file
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeDropped PE file which has not been started: C:\Users\user\Desktop\x86\leptonica-1.82.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exe TID: 6424Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exe TID: 7144Thread sleep time: -68400s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exe TID: 5324Thread sleep time: -51300s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exe TID: 7712Thread sleep time: -44430s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exe TID: 2488Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: vGgGSjuZNP.exe.0.drBinary or memory string: VMware
        Source: config.zip.2.drBinary or memory string: VMCI9
        Source: netsh.exe, 0000000E.00000003.1956816054.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
        Source: netsh.exe, 00000011.00000003.1956857981.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000015.00000003.1956966658.0000000000CB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
        Source: netsh.exe, 00000009.00000003.1957197043.0000000001141000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000013.00000003.1956734620.0000000000911000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000017.00000003.1956460581.0000000003661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
        Source: vGgGSjuZNP.exe.0.drBinary or memory string: ErrorUnknown ,Version=Culture=PublicKeyToken=ProcessorArchitecture=neutral0 ., - Virtual Machine Network Services DriverVMwareBluetoothWiFiWLan802.11%02X-%02X-%02X-%02X-%02X-%02XCreate Com failed.root\cimv2Can't Connect to WMI Service: HR: 0x%X, LastError: 0x%XWMI ACCESS_DENIEDset proxy failed|:InterfaceTypeUSBIndexManufacturerProductSerialNumberVersionWin32_BaseBoardNameSMBIOSBIOSVersionWin32_BIOSProcessorIdWin32_ProcessorModelWin32_DiskDriveWin32_PhysicalMedia%.4X
        Source: netsh.exe, 0000000A.00000002.1959841296.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000000C.00000003.1956378153.0000000000752000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000010.00000003.1956539979.00000000007F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeProcess created: C:\Users\user\Desktop\vGgGSjuZNP.exe "C:\Users\user\Desktop\vGgGSjuZNP.exe" sZSXKXOnBw.exeJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Users\user\Desktop\vGgGSjuZNP.exe "C:\Users\user\Desktop\vGgGSjuZNP.exe" "sZSXKXOnBw.exe"Jump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set heuristics disabledJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global autotuninglevel=normalJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global congestionprovider=ctcpJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global ecncapability=defaultJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global rss=enabledJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global chimney=disabledJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global dca=enabledJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global timestamps=disabledJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set global rsc=enabledJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\WinSxS\Manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984.manifest VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\WinSxS\Manifests\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-gb_0b85a8bb8c7e851a.manifest VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\WinSxS\Manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984.manifest VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\WinSxS\Manifests\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-gb_0b85a8bb8c7e851a.manifest VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeCode function: 2_2_00445F26 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_00445F26
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\Desktop\vGgGSjuZNP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" int tcp set heuristics disabled
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
        Source: C:\Users\user\Desktop\sZSXKXOnBw.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
        Windows Management Instrumentation        		2
        Windows Service        		2
        Windows Service        		11
        Masquerading        		OS Credential Dumping1
        System Time Discovery        		Remote Services11
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		11
        Process Injection        		11
        Disable or Modify Tools        		LSASS Memory321
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		41
        Virtualization/Sandbox Evasion        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
        Process Injection        		NTDS41
        Virtualization/Sandbox Evasion        		Distributed Component Object ModelInput Capture3
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information        		LSA Secrets1
        Application Window Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Software Packing        		Cached Domain Credentials1
        File and Directory Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSync124
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        File Deletion        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589483 Sample: sZSXKXOnBw.exe Startdate: 12/01/2025 Architecture: WINDOWS Score: 96 54 raw.githubusercontent.com 2->54 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Machine Learning detection for sample 2->62 64 2 other signatures 2->64 9 sZSXKXOnBw.exe 4 2->9         started        signatures3 process4 file5 42 C:\Users\user\Desktop\vGgGSjuZNP.exe, PE32 9->42 dropped 44 C:\Users\user\AppData\...\sZSXKXOnBw.exe.log, ASCII 9->44 dropped 66 Tries to detect virtualization through RDTSC time measurements 9->66 13 vGgGSjuZNP.exe 28 20 9->13         started        18 conhost.exe 9->18         started        signatures6 process7 dnsIp8 56 raw.githubusercontent.com 185.199.111.133, 443, 49739 FASTLYUS Netherlands 13->56 46 C:\Users\user\Desktop\...\tesseract50.dll.tmp, PE32 13->46 dropped 48 C:\Users\user\...\tesseract50.dll (copy), PE32 13->48 dropped 50 C:\Users\user\...\leptonica-1.82.0.dll.tmp, PE32 13->50 dropped 52 9 other malicious files 13->52 dropped 68 Multi AV Scanner detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 72 Uses netsh to modify the Windows network and firewall settings 13->72 74 3 other signatures 13->74 20 netsh.exe 13->20         started        22 netsh.exe 13->22         started        24 netsh.exe 13->24         started        26 7 other processes 13->26 file9 signatures10 process11 process12 28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        40 3 other processes 26->40

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        sZSXKXOnBw.exe42%ReversingLabsWin32.Trojan.Giant
        sZSXKXOnBw.exe54%VirustotalBrowse
        sZSXKXOnBw.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\Desktop\vGgGSjuZNP.exe100%Joe Sandbox ML
        C:\Users\user\Desktop\vGgGSjuZNP.exe42%ReversingLabsWin32.Trojan.Giant
        C:\Users\user\Desktop\x64\SQLite.Interop.dll (copy)0%ReversingLabs
        C:\Users\user\Desktop\x64\SQLite.Interop.dll.tmp0%ReversingLabs
        C:\Users\user\Desktop\x64\leptonica-1.82.0.dll (copy)0%ReversingLabs
        C:\Users\user\Desktop\x64\leptonica-1.82.0.dll.tmp0%ReversingLabs
        C:\Users\user\Desktop\x64\tesseract50.dll (copy)0%ReversingLabs
        C:\Users\user\Desktop\x64\tesseract50.dll.tmp0%ReversingLabs
        C:\Users\user\Desktop\x86\SQLite.Interop.dll (copy)0%ReversingLabs
        C:\Users\user\Desktop\x86\SQLite.Interop.dll.tmp0%ReversingLabs
        C:\Users\user\Desktop\x86\leptonica-1.82.0.dll (copy)0%ReversingLabs
        C:\Users\user\Desktop\x86\leptonica-1.82.0.dll.tmp0%ReversingLabs
        C:\Users\user\Desktop\x86\tesseract50.dll (copy)0%ReversingLabs
        C:\Users\user\Desktop\x86\tesseract50.dll.tmp0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.fontbureau.com/designersC0%Avira URL Cloudsafe
        http://www.tiro.comnt0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/HM0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/10%Avira URL Cloudsafe
        http://www.fontbureau.comituNv0%Avira URL Cloudsafe
        https://pingupi.axisbank.co.in1/v1/healthcheck?version=#/v1/bind?data=0%Avira URL Cloudsafe
        http://boxedapp.com/boxedappsdk/order.htmlS:(ML;;NW;;;LW)U0%Avira URL Cloudsafe
        http://npci.org/upi/schema/T0%Avira URL Cloudsafe
        http://www.carterandcone.coml-g0%Avira URL Cloudsafe
        http://www.fontbureau.comasTF0%Avira URL Cloudsafe
        http://www.fontbureau.com_C0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/-cz0%Avira URL Cloudsafe
        http://www.carterandcone.comE0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/Nv0%Avira URL Cloudsafe
        http://www.fontbureau.comgreta0%Avira URL Cloudsafe
        http://www.fontbureau.comywaaF0%Avira URL Cloudsafe
        http://www.carterandcone.com0%Avira URL Cloudsafe
        http://www.fontbureau.comueic0%Avira URL Cloudsafe
        http://www.typography.neton0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/10%Avira URL Cloudsafe
        http://www.typography.net0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/Nv0%Avira URL Cloudsafe
        http://www.urwpp.de.0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/PD0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/Y0yp0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/Y00%Avira URL Cloudsafe
        http://www.fontbureau.com/0%Avira URL Cloudsafe
        http://npci.org/upi/schema/:0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/O0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/(0%Avira URL Cloudsafe
        http://www.fontbureau.comueak0%Avira URL Cloudsafe
        http://boxedapp.com/boxedappsdk/order.html0%Avira URL Cloudsafe
        http://www.fontbureau.com/designersp0%Avira URL Cloudsafe
        http://www.urwpp.de0%Avira URL Cloudsafe
        http://www.fontbureau.comtaas10%Avira URL Cloudsafe
        http://www.fontbureau.comak0%Avira URL Cloudsafe
        http://www.founder.com.cn/cnt-i0%Avira URL Cloudsafe
        http://www.carterandcone.comK0%Avira URL Cloudsafe
        http://www.fontbureau.com=0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/0%Avira URL Cloudsafe
        http://www.urwpp.dewap0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/T0%Avira URL Cloudsafe
        http://www.fontbureau.comT0%Avira URL Cloudsafe
        http://www.fontbureau.comdp0%Avira URL Cloudsafe
        http://www.fontbureau.comyp0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/O0%Avira URL Cloudsafe
        http://www.fontbureau.coms-cz0%Avira URL Cloudsafe
        http://boxedapp.com/boxedappsdk/order.htmlOv0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/F0%Avira URL Cloudsafe
        http://www.zhongyicts.com.cnt0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/fS0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/0%Avira URL Cloudsafe
        http://www.fontbureau.coma0%Avira URL Cloudsafe
        http://www.fontbureau.com/T0%Avira URL Cloudsafe
        http://www.fontbureau.comd0%Avira URL Cloudsafe
        http://www.typography.netnet0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/s80%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/y0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/-cz10%Avira URL Cloudsafe
        http://www.galapagosdesign.com/.0%Avira URL Cloudsafe
        http://www.ascendercorp.com/typedesigners.htmlNv0%Avira URL Cloudsafe
        http://www.fontbureau.comf0%Avira URL Cloudsafe
        http://www.fontbureau.come0%Avira URL Cloudsafe
        http://www.founder.com.cn/cnb-nB0%Avira URL Cloudsafe
        http://www.fontbureau.comFy0%Avira URL Cloudsafe
        http://www.fontbureau.como0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/b0%Avira URL Cloudsafe
        http://en.w90%Avira URL Cloudsafe
        http://www.founder.com.cn/cns-e0%Avira URL Cloudsafe
        https://mobile-rest.freecharge.in/rest/upi/v2/ar/balance-enquiry?fcAppType=android&fcChannel=3&fcver0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        raw.githubusercontent.com
        		185.199.111.133
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://raw.githubusercontent.com/AYAAN1980/HtmlPDF/main/DS-DIGIT.TTFfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.jiyu-kobo.co.jp/HMvGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://npci.org/upi/schema/TsZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.tiro.comntvGgGSjuZNP.exe, 00000002.00000003.1910304154.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1908816406.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://pingupi.axisbank.co.in1/v1/healthcheck?version=#/v1/bind?data=sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designersCvGgGSjuZNP.exe, 00000002.00000003.1920157822.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.comituNvvGgGSjuZNP.exe, 00000002.00000003.1924339966.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.tiro.comvGgGSjuZNP.exe, 00000002.00000003.1910304154.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910403668.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1908816406.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.jiyu-kobo.co.jp/jp/1vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://boxedapp.com/boxedappsdk/order.htmlS:(ML;;NW;;;LW)UsZSXKXOnBw.exefalse
              • Avira URL Cloud: safe
              		unknown
              http://www.carterandcone.coml-gvGgGSjuZNP.exe, 00000002.00000003.1910304154.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910403668.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910506574.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1908816406.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designersvGgGSjuZNP.exe, 00000002.00000003.1925091652.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.comasTFvGgGSjuZNP.exe, 00000002.00000003.1925698369.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.carterandcone.comvGgGSjuZNP.exe, 00000002.00000003.1910749300.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918793128.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918943967.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919138079.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910304154.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919283166.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916007769.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919349007.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919005568.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918445771.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916508661.0000000010DBE000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918513745.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916101836.0000000010DBD000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DBE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/-czvGgGSjuZNP.exe, 00000002.00000003.1916007769.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916196340.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1911418109.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com_CvGgGSjuZNP.exe, 00000002.00000003.1925091652.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/NvvGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.carterandcone.comEvGgGSjuZNP.exe, 00000002.00000003.1910304154.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910403668.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910506574.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1908816406.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.comgretavGgGSjuZNP.exe, 00000002.00000003.1920783959.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1921036219.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.comueicvGgGSjuZNP.exe, 00000002.00000003.1924868940.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1925091652.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924733518.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.comywaaFvGgGSjuZNP.exe, 00000002.00000003.1920057121.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.typography.netonvGgGSjuZNP.exe, 00000002.00000003.1901727753.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/1vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.typography.netvGgGSjuZNP.exe, 00000002.00000003.1901727753.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.urwpp.de.vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918573423.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/jp/NvvGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918445771.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918513745.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918382191.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/PDvGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/Y0ypvGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://npci.org/upi/schema/:sZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/vGgGSjuZNP.exe, 00000002.00000003.1918793128.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918943967.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919138079.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919005568.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918445771.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918513745.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919070905.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918573423.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919210882.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918382191.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918876130.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/Y0vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://boxedapp.com/boxedappsdk/order.htmlvGgGSjuZNP.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/jp/OvGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ascendercorp.com/typedesigners.htmlvGgGSjuZNP.exe, 00000002.00000003.1924339966.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924396855.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924687479.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.jiyu-kobo.co.jp/(vGgGSjuZNP.exe, 00000002.00000003.1918793128.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918445771.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918513745.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918573423.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918382191.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.comueakvGgGSjuZNP.exe, 00000002.00000003.1920397638.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.urwpp.devGgGSjuZNP.exe, 00000002.00000003.1918793128.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918943967.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919005568.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918573423.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918818127.0000000010DC4000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918876130.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zhongyicts.com.cnvGgGSjuZNP.exe, 00000002.00000003.1907648272.0000000010DB7000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designerspvGgGSjuZNP.exe, 00000002.00000003.1920157822.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920228941.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.comakvGgGSjuZNP.exe, 00000002.00000003.1920157822.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920228941.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.comtaas1vGgGSjuZNP.exe, 00000002.00000003.1925091652.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cnt-ivGgGSjuZNP.exe, 00000002.00000003.1906507910.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1906317740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sakkal.comvGgGSjuZNP.exe, 00000002.00000003.1924868940.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com=vGgGSjuZNP.exe, 00000002.00000003.1920397638.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920157822.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920302589.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920228941.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comKvGgGSjuZNP.exe, 00000002.00000003.1910749300.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918793128.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918943967.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919138079.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1910304154.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919283166.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916007769.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919349007.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919005568.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919532272.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1919614835.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918445771.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916508661.0000000010DBE000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918513745.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.urwpp.dewapvGgGSjuZNP.exe, 00000002.00000003.1918573423.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0vGgGSjuZNP.exe, 00000002.00000003.1907648272.0000000010DB7000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1907750128.0000000010DBE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comvGgGSjuZNP.exe, 00000002.00000003.1924339966.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924396855.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.galapagosdesign.com/vGgGSjuZNP.exe, 00000002.00000003.1924868940.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comdpvGgGSjuZNP.exe, 00000002.00000003.1920057121.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/TvGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comTvGgGSjuZNP.exe, 00000002.00000003.1924733518.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comypvGgGSjuZNP.exe, 00000002.00000003.1918793128.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918943967.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918656403.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918721217.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918445771.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918513745.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918573423.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918382191.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918876130.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/OvGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cn/fSvGgGSjuZNP.exe, 00000002.00000003.1905578245.0000000010DAF000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.coms-czvGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://boxedapp.com/boxedappsdk/order.htmlOvvGgGSjuZNP.exe, 00000008.00000003.1991964893.0000000002E0D000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/FvGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zhongyicts.com.cntvGgGSjuZNP.exe, 00000002.00000003.1907648272.0000000010DB7000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.sqlite.org/copyright.html2SQLite.Interop.dll.tmp.2.dr, SQLite.Interop.dll.tmp0.2.drfalse
                            		high
                            http://www.jiyu-kobo.co.jp/jp/vGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.comavGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.comdvGgGSjuZNP.exe, 00000002.00000003.1920397638.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920157822.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920302589.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920228941.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/TvGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/-cz1vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.typography.netnetvGgGSjuZNP.exe, 00000002.00000003.1902696488.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1901727753.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1902434075.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1902852499.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1902168584.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.founder.com.cn/cn/vGgGSjuZNP.exe, 00000002.00000003.1907161400.0000000010DAF000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/yvGgGSjuZNP.exe, 00000002.00000003.1918311878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/s8vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.ascendercorp.com/typedesigners.htmlNvvGgGSjuZNP.exe, 00000002.00000003.1924339966.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924396855.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924687479.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924733518.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.founder.com.cn/cnvGgGSjuZNP.exe, 00000002.00000003.1906507910.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1907161400.0000000010DAF000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1906885084.0000000010DAF000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1907003304.0000000010DBE000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.galapagosdesign.com/.vGgGSjuZNP.exe, 00000002.00000003.1924868940.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-user.htmlvGgGSjuZNP.exe, 00000002.00000003.1924339966.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1924396855.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.comfvGgGSjuZNP.exe, 00000002.00000003.1925091652.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comevGgGSjuZNP.exe, 00000002.00000003.1925698369.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cnb-nBvGgGSjuZNP.exe, 00000002.00000003.1906507910.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1906317740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918382191.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918876130.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comFyvGgGSjuZNP.exe, 00000002.00000003.1920397638.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920783959.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1921036219.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comovGgGSjuZNP.exe, 00000002.00000003.1920783959.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920567792.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920498734.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1920649030.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.loc.gov/standards/alto/ns-v3#tesseract50.dll.tmp.2.dr, tesseract50.dll.tmp0.2.drfalse
                                    		high
                                    http://en.w9vGgGSjuZNP.exe, 00000002.00000003.1902434075.0000000010DB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.irctc.co.insZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/bvGgGSjuZNP.exe, 00000002.00000003.1916007769.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918014076.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916196340.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916693098.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917899740.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917511583.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1911418109.0000000010DB0000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1918155427.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917257878.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1917399110.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916952985.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916824780.0000000010DB8000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1916249538.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://mobile-rest.freecharge.in/rest/upi/v2/ar/balance-enquiry?fcAppType=android&fcChannel=3&fcversZSXKXOnBw.exe, 00000000.00000003.1778318642.000000000B94C000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000002.00000003.1847667150.000000000B954000.00000004.00000020.00020000.00000000.sdmp, vGgGSjuZNP.exe, 00000008.00000003.1974532377.000000000B94B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.founder.com.cn/cns-evGgGSjuZNP.exe, 00000002.00000003.1906507910.0000000010DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.199.111.133
                                      		raw.githubusercontent.comNetherlands
                                      		54113FASTLYUSfalse

                                      General Information

                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1589483
                                      Start date and time:2025-01-12 16:10:26 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 9m 17s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Run name:Run with higher sleep bypass
                                      Number of analysed new started processes analysed:29
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:sZSXKXOnBw.exe
                                      Detection:MAL
                                      Classification:mal96.troj.evad.winEXE@33/32@1/1
                                      EGA Information:
                                      • Successful, ratio: 33.3%
                                      HCA Information:Failed
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 4.245.163.56, 184.28.90.27, 13.107.246.45
                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target sZSXKXOnBw.exe, PID 6180 because there are no executed function
                                      • Execution Graph export aborted for target vGgGSjuZNP.exe, PID 2020 because there are no executed function
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenFile calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.199.111.133cr_asm2.ps1Get hashmaliciousUnknownBrowse
                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                      cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                      BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      raw.githubusercontent.comhttp://trustwallet.secure-configure.com/trst.phpGet hashmaliciousUnknownBrowse
                                      • 185.199.109.133
                                      https://trustwallet.secure-configure.com/trst.php/Get hashmaliciousUnknownBrowse
                                      • 185.199.110.133
                                      HTTPS://RAW.GITHUBUSERCONTENT.COM/wINPARwINPAR/DUCKYSCRIPTS/MAIN/nOeSCAPE.EXEGet hashmaliciousUnknownBrowse
                                      • 185.199.111.133
                                      z.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                      • 185.199.111.133
                                      h.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                      • 185.199.110.133
                                      spreadmalware.exeGet hashmaliciousXWormBrowse
                                      • 185.199.110.133
                                      GTA5-elamigos.exeGet hashmaliciousEsquele StealerBrowse
                                      • 185.199.108.133
                                      GTA5-elamigos.exeGet hashmaliciousEsquele StealerBrowse
                                      • 185.199.108.133
                                      Customer.exeGet hashmaliciousXWormBrowse
                                      • 185.199.111.133

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      FASTLYUSPDF-523.msiGet hashmaliciousAteraAgentBrowse
                                      • 199.232.210.172
                                      http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/Get hashmaliciousUnknownBrowse
                                      • 199.232.192.193
                                      https://heuristic-knuth-588d37.netlify.app/?naps/Get hashmaliciousHTMLPhisherBrowse
                                      • 199.232.192.193
                                      https://terrific-metal-countess.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                      • 151.101.129.44
                                      http://procustodiavalueslive.github.io/mediantime1db1d62ef90e6fec5644546bc086f16336d68481479f56e29285a338fc23/Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                      • 185.199.110.153
                                      https://adopt0098.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                                      • 151.101.130.137
                                      https://marketing-campaign-solution.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                      • 151.101.2.137
                                      https://pub-ce1f93897bdf44e9b1cd99ad0325c570.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.194.137
                                      https://muhammadsaadofficial390.github.io/s1Get hashmaliciousHTMLPhisherBrowse
                                      • 185.199.108.153

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0ev2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                      • 185.199.111.133
                                      c2.htaGet hashmaliciousUnknownBrowse
                                      • 185.199.111.133
                                      E6wUHnV51P.exeGet hashmaliciousDCRatBrowse
                                      • 185.199.111.133
                                      resembleC2.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                      • 185.199.111.133
                                      c1.htaGet hashmaliciousUnknownBrowse
                                      • 185.199.111.133
                                      http://www.grhga.icu/Get hashmaliciousUnknownBrowse
                                      • 185.199.111.133
                                      http://keystonerelated.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                      • 185.199.111.133
                                      https://telegrams-mc.org/Get hashmaliciousUnknownBrowse
                                      • 185.199.111.133
                                      http://metamaeskloegin.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                      • 185.199.111.133

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sZSXKXOnBw.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\sZSXKXOnBw.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1019
                                      Entropy (8bit):5.334408101546384
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84D8mE4qpsXE4qdKm:MIHK5HKH1qHiYHKh3ogvD8mHpHA
                                      MD5:1E2972F586E5ED70EE8CAA7A54EC02C8
                                      SHA1:F3E2EB8EA380E8F5F2B98DA78FC74CD9FDCD0D3F
                                      SHA-256:CA3B2A253FFE455D171E6A56DE43A0AD5F6693031F5E7571BBE12F066D8A6826
                                      SHA-512:414E3F5B11027D2880822D87CD0EA22FAA3CF3700FD9D329B9A47B00A5385B19E1FEDCCD73A372A0961B466FD0DAD481628788D5BAE02AFD4432384FE78BE08D
                                      Malicious:true
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Man

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vGgGSjuZNP.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1019
                                      Entropy (8bit):5.334408101546384
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84D8mE4qpsXE4qdKm:MIHK5HKH1qHiYHKh3ogvD8mHpHA
                                      MD5:1E2972F586E5ED70EE8CAA7A54EC02C8
                                      SHA1:F3E2EB8EA380E8F5F2B98DA78FC74CD9FDCD0D3F
                                      SHA-256:CA3B2A253FFE455D171E6A56DE43A0AD5F6693031F5E7571BBE12F066D8A6826
                                      SHA-512:414E3F5B11027D2880822D87CD0EA22FAA3CF3700FD9D329B9A47B00A5385B19E1FEDCCD73A372A0961B466FD0DAD481628788D5BAE02AFD4432384FE78BE08D
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Man

                                      C:\Users\user\AppData\Local\Temp\DS-Digital.ttf

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:TrueType Font data, 15 tables, 1st "OS/2", 21 names, Unicode
                                      Category:dropped
                                      Size (bytes):24448
                                      Entropy (8bit):6.021815002677403
                                      Encrypted:false
                                      SSDEEP:384:vGghlfJ9PrivEdmCn9C3SOEt6zV62qvH+h7jf43W8TUZw0MvH+h7jf43W8TUZhwK:lrikmC9CCOEt6z/qvH+h7r4G8TIw0Mvg
                                      MD5:63F874D192FB3892D88D5E26F942B5E2
                                      SHA1:1CE1ED312B41A237CB253C706290C0FD7287859D
                                      SHA-256:87EB14D41EEEAC0BD7FE0C62ECE05134BBF1EE8059B6E3E701D7F4A7799506DC
                                      SHA-512:ACEA89E459D5EDB937056E86D1E9ACC430206957B7DB98C67AA0D629013BF8F626E29684199D86F712CAED6E3F265A984E0EEFD6E33E7FF3DB77057720AB7F5C
                                      Malicious:false
                                      Preview:.......0....OS/2...l..X0...NPCLT..Cv..X....6cmapv."/..T....<cvt ......W....Lfpgm.\........dglyfvS.5......KVhdmx&.T`..X.....head..........6hhea.x.L...4...$hmtx.;....V<....loca..h...Q\....maxp._.....X... nameD.....x...upost.]....S.....prepZ......T................_.<....L....6.......6......E.......................8...........................j.....j.R...........@.....d.......................Y......................./.........P.c.....................X............._.........Y.........................).........(.;.....................,.............U...........Y......................./.........P.c.....................X............._Font Typeface: DS-Digital. Created by Dusit Supasawat , DS-Font 1998. All Rights Reserved.F.o.n.t. .T.y.p.e.f.a.c.e.:. .D.S.-.D.i.g.i.t.a.l... .C.r.e.a.t.e.d. .b.y. .D.u.s.i.t. .S.u.p.a.s.a.w.a.t. .,. .D.S.-.F.o.n.t. .1.9.9.8... .A.l.l. .R.i.g.h.t.s. .R.e.s.e.r.v.e.dDS-Digital.D.S.-.D.i.g.i.t.a.lNormal.N.o.r.m.a.lDusit Supasawat: DS-Digital: Version 1.1.D.u.s.i.t.

                                      C:\Users\user\Desktop\GADAR.lnk

                                      Download File
                                      Process:C:\Users\user\Desktop\sZSXKXOnBw.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Jan 12 14:11:29 2025, mtime=Sun Jan 12 14:11:32 2025, atime=Sun Jan 12 14:11:30 2025, length=40714240, window=hide
                                      Category:dropped
                                      Size (bytes):597
                                      Entropy (8bit):5.1535055132963175
                                      Encrypted:false
                                      SSDEEP:12:8mtmAj/Q1qzYNbR1cyx5Yuxy9jA6DxAKOUm2RmFomVct:8mnj/QTn10Oy5A6DxAlORmyt
                                      MD5:DBF3FFE274F3C8854DC7D5F091B7FEFE
                                      SHA1:81C374AB5D2984110D83D3C029D4BD3A0E42A0EA
                                      SHA-256:D055743ADC9526C26E27AA23B553509F24C95073F91331D3E0408163359329E3
                                      SHA-512:901B6D5650FCCA35649EBBA28FB740F127B1B4148476EC3C5630B9462D2FEF62DA5A3278C541F6BD65AA2E035AF4E680C1C506F0501E445ABE0A9217042B3993
                                      Malicious:false
                                      Preview:L..................F.... .....A.e..s.SC.e...E B.e...@m..........................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v......A.e...R.E.e....j.2..@m.,Zpy .VGGGSJ~1.EXE..N......,Zoy,Zpy...........................$..v.G.g.G.S.j.u.Z.N.P...e.x.e.......T...............-.......S..............^.....C:\Users\user\Desktop\vGgGSjuZNP.exe......\.v.G.g.G.S.j.u.Z.N.P...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.D.e.s.k.t.o.p.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?............`.......X.......472847...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..........

                                      C:\Users\user\Desktop\Logs\Exlgs_1201202510113620.lg

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):119
                                      Entropy (8bit):4.732176770164615
                                      Encrypted:false
                                      SSDEEP:3:OIviYQuF2yCtZKdYrDxycUQuEULa4PaCtZKgJHMKw0Ovn:OI69uF2ymKdKnJu9KmKgJHMhvn
                                      MD5:48CCDFA5C33C5673013C048EBA2E6B8E
                                      SHA1:6D50D7F64E40A6F0BEBA8115FEBDA0D891BFFC92
                                      SHA-256:D3D9F93BCFFCE02EE35C2608D8D9AE2DB2A09FFD1AF341B263FC5959392C8920
                                      SHA-512:117422E3E8CABA6F71192915C066BC108FE1C1A9C2E63C815CD7B2BD3A6CCF98FA5D8D3B77E0F946F94C669E3A9FFD07BE6787A897F085795816EDBF9BAF26EC
                                      Malicious:false
                                      Preview:12-Jan-2025 10:11:49.840 : Program.Main : User Start NGET..12-Jan-2025 10:11:51.387 : Program.Main : Validation Start..

                                      C:\Users\user\Desktop\SIKKA_V2.exe.config (copy)

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):534
                                      Entropy (8bit):5.111063294208867
                                      Encrypted:false
                                      SSDEEP:12:TMHdG3VOcrg9LNFF7ap+5/Fw+uff/2/xFicYo4xT:2dErSPF7N/FwRfH2/L9y
                                      MD5:4B14782CB47160B63EDB3A1374A75347
                                      SHA1:0632CF59CF6ECF19847E241A81B8AE4EF4C41864
                                      SHA-256:A5991E80A38E2AA164E09BEB42CB87F70936F04DFA59370B0DBCF633EECDA089
                                      SHA-512:836A3F35EF5237BCE387E1B595DEF60D07E1A0C7D1A4B0BED3E12C3EB6E4AC44C2A492409581F8C19334BB7A5DEDBF885BE4E2C2FF74987630892B96EBDCCB5C
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="BouncyCastle.Crypto" publicKeyToken="0e99375e54769942" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-1.8.5.0" newVersion="1.8.5.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                      C:\Users\user\Desktop\SIKKA_V2.exe.config.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):534
                                      Entropy (8bit):5.111063294208867
                                      Encrypted:false
                                      SSDEEP:12:TMHdG3VOcrg9LNFF7ap+5/Fw+uff/2/xFicYo4xT:2dErSPF7N/FwRfH2/L9y
                                      MD5:4B14782CB47160B63EDB3A1374A75347
                                      SHA1:0632CF59CF6ECF19847E241A81B8AE4EF4C41864
                                      SHA-256:A5991E80A38E2AA164E09BEB42CB87F70936F04DFA59370B0DBCF633EECDA089
                                      SHA-512:836A3F35EF5237BCE387E1B595DEF60D07E1A0C7D1A4B0BED3E12C3EB6E4AC44C2A492409581F8C19334BB7A5DEDBF885BE4E2C2FF74987630892B96EBDCCB5C
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="BouncyCastle.Crypto" publicKeyToken="0e99375e54769942" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-1.8.5.0" newVersion="1.8.5.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                      C:\Users\user\Desktop\config.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                      Category:dropped
                                      Size (bytes):7116310
                                      Entropy (8bit):7.997425165063183
                                      Encrypted:true
                                      SSDEEP:196608:eXwPdMUhJaA7RNN8VDMwxK6P7+Wc1yw1ZI25bxVS:eAV7oAyVDzxKMiUYxpxo
                                      MD5:ACFC66BDC0874B0B5AA95AA4B704EE5A
                                      SHA1:780A2408B52ED2B9D24867440C8B9EE9FDF301CF
                                      SHA-256:BBA273900F9564A3AF9DCEDF90E43F5960A431F56927B68F5D0C29E833C64ED6
                                      SHA-512:8836FE397E72030CADC9D78C7C7DC0B2AC5125B0B5ABB12256F65C4F8B37A5CBAF29D149E3B00687FF278E2A091CCD034A6FFAB3C3C1AF44A0F3EC02D5428E45
                                      Malicious:false
                                      Preview:PK........Y.7V................x86/PK...........N...l.....0......x86/SQLite.Interop.dll.}|T.0|f.L2!.......A. ...8.&.h.N..!.$.B../.....$.L.d;.V}..j+Eo..Z|...8I0_"..j......N..1. .k.sf.....y..7?.g......k......o......_Q8n...eq..........|<}.n..../}hc.....l.O.M~.'.=.....u.....z,y.}..G._.nn\...D.K........~sM.........`......n#.....}~......./....G.7.......a..G.+W......,.z.Mp:8n...;....q..~z....&Z9n...==...ri..?z..R..}.....3.O...,.+..Q.......g..m...e`d'|M..=c...v..1...$G...3r..O.....\a.....'XU.....<...f.?.~.q...U.k.;.:"_....f.:........'.|?_p..J.Z...vaD....W..5w..........7...q.|..y.2b.a_q...}M.....w.?eV.<.U......Ma.d.&0....X...`.".f07..K....e.u2.~.>..5.]..R.>.........[.[..*.V3.i.ng.s.}A.......].}...........s..=..&..fn+s?a.I.v2.,s)s.....^.;.\...3..\3..8..1....B....0.+I..S.30.hR....4..Jb.x.J.....C.... H.....9....^}..7.L..c..MF71..)......i.....E..7.}......,.}n......kc...........8L;.`.wr@Q...!..h..L.9.B..dp..Fc.K.Fc......r... .......2c.....pi.|..~>.(....^..rZ7LV...!

                                      C:\Users\user\Desktop\config.zip

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                      Category:dropped
                                      Size (bytes):7116310
                                      Entropy (8bit):7.997425165063183
                                      Encrypted:true
                                      SSDEEP:196608:eXwPdMUhJaA7RNN8VDMwxK6P7+Wc1yw1ZI25bxVS:eAV7oAyVDzxKMiUYxpxo
                                      MD5:ACFC66BDC0874B0B5AA95AA4B704EE5A
                                      SHA1:780A2408B52ED2B9D24867440C8B9EE9FDF301CF
                                      SHA-256:BBA273900F9564A3AF9DCEDF90E43F5960A431F56927B68F5D0C29E833C64ED6
                                      SHA-512:8836FE397E72030CADC9D78C7C7DC0B2AC5125B0B5ABB12256F65C4F8B37A5CBAF29D149E3B00687FF278E2A091CCD034A6FFAB3C3C1AF44A0F3EC02D5428E45
                                      Malicious:false
                                      Preview:PK........Y.7V................x86/PK...........N...l.....0......x86/SQLite.Interop.dll.}|T.0|f.L2!.......A. ...8.&.h.N..!.$.B../.....$.L.d;.V}..j+Eo..Z|...8I0_"..j......N..1. .k.sf.....y..7?.g......k......o......_Q8n...eq..........|<}.n..../}hc.....l.O.M~.'.=.....u.....z,y.}..G._.nn\...D.K........~sM.........`......n#.....}~......./....G.7.......a..G.+W......,.z.Mp:8n...;....q..~z....&Z9n...==...ri..?z..R..}.....3.O...,.+..Q.......g..m...e`d'|M..=c...v..1...$G...3r..O.....\a.....'XU.....<...f.?.~.q...U.k.;.:"_....f.:........'.|?_p..J.Z...vaD....W..5w..........7...q.|..y.2b.a_q...}M.....w.?eV.<.U......Ma.d.&0....X...`.".f07..K....e.u2.~.>..5.]..R.>.........[.[..*.V3.i.ng.s.}A.......].}...........s..=..&..fn+s?a.I.v2.,s)s.....^.;.\...3..\3..8..1....B....0.+I..S.30.hR....4..Jb.x.J.....C.... H.....9....^}..7.L..c..MF71..)......i.....E..7.}......,.}n......kc...........8L;.`.wr@Q...!..h..L.9.B..dp..Fc.K.Fc......r... .......2c.....pi.|..~>.(....^..rZ7LV...!

                                      C:\Users\user\Desktop\vGgGSjuZNP.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\sZSXKXOnBw.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):40714240
                                      Entropy (8bit):7.979590120899689
                                      Encrypted:false
                                      SSDEEP:786432:FYXQkw++7HaRK+qjAnv7aXWFOJRD600LPGiH72CujWDhgPwlm5v1npyDu:FcdYEK++An2WFOJRD600LPGiHpfhgPw6
                                      MD5:7E9BB4D78101740566C64724C56573B9
                                      SHA1:5CF8BA12AF98C1F0B90AB15CFECC1FC5F3241372
                                      SHA-256:90BFCE53578F6F532E9947668112EEAB461ACC176F499FEEC880A9326815214E
                                      SHA-512:C240FFD40007CE2D67E72BC52C0B3348E1C07B3B2A340543781363617690E5607D6D0CFAB2BB7DB57AA895081C817DC2A550CF2929040EBFA2AACB67FB76E86D
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 42%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.,f..........#..........0L.............. ....@..........................pm.....T.m.............................................. 6..M7.........................................................H...@............ ..@............................text...@........................... ..`.rdata....... ....... ..............@..@.data....}.......P..................@....GS.....`....0...................... ..`.rsrc....M7.. 6..P7...5.............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\Desktop\x64\SQLite.Interop.dll (copy)

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1625088
                                      Entropy (8bit):6.529811892106442
                                      Encrypted:false
                                      SSDEEP:49152:H+PCM/q8roxO/scjdY7mrGsyCuB5SDdrzYC:H+JZEwB
                                      MD5:A0D07D0E354C7760497EF7EA6227B937
                                      SHA1:10CFC3FF37B8B492A2130D1CDA2CCFA8788A9650
                                      SHA-256:F39FC4D52B3E9E1A8D30FB8E2FFD320C1B54A5D5C5AD2444E57F0B3642CDC05E
                                      SHA-512:908C234CB616EDC87A76D9153A6DA8F2A1013C477602EC2068DC598592CD1355569F42989B1F4B29AB43F9DDE3912DBFD9BFB01EAEDBF6960277D629F75E24EB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O..7...d...d...d.i.d...d.i.d...d.i.d(..d0..e...d0..e...d0..e...d..=d...d...d...d...e...d...e...d...d...d...e...dRich...d........PE..d......\.........." .....~...J............................................... ............`.........................................@6..81..xg..<.......<.......@...............$.......p...........................p................................................text....}.......~.................. ..`.rdata..............................@..@.data....M.......6...h..............@....pdata..@...........................@..@.gfids..............................@..@.rsrc...<...........................@..@.reloc..$...........................@..B........................................................................................................................................................................................................

                                      C:\Users\user\Desktop\x64\SQLite.Interop.dll.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1625088
                                      Entropy (8bit):6.529811892106442
                                      Encrypted:false
                                      SSDEEP:49152:H+PCM/q8roxO/scjdY7mrGsyCuB5SDdrzYC:H+JZEwB
                                      MD5:A0D07D0E354C7760497EF7EA6227B937
                                      SHA1:10CFC3FF37B8B492A2130D1CDA2CCFA8788A9650
                                      SHA-256:F39FC4D52B3E9E1A8D30FB8E2FFD320C1B54A5D5C5AD2444E57F0B3642CDC05E
                                      SHA-512:908C234CB616EDC87A76D9153A6DA8F2A1013C477602EC2068DC598592CD1355569F42989B1F4B29AB43F9DDE3912DBFD9BFB01EAEDBF6960277D629F75E24EB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O..7...d...d...d.i.d...d.i.d...d.i.d(..d0..e...d0..e...d0..e...d..=d...d...d...d...e...d...e...d...d...d...e...dRich...d........PE..d......\.........." .....~...J............................................... ............`.........................................@6..81..xg..<.......<.......@...............$.......p...........................p................................................text....}.......~.................. ..`.rdata..............................@..@.data....M.......6...h..............@....pdata..@...........................@..@.gfids..............................@..@.rsrc...<...........................@..@.reloc..$...........................@..B........................................................................................................................................................................................................

                                      C:\Users\user\Desktop\x64\leptonica-1.82.0.dll (copy)

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):4168192
                                      Entropy (8bit):6.666546959084921
                                      Encrypted:false
                                      SSDEEP:49152:AyeqkefPjBthD9lmJ/teqmlWjIBpSbVqS/hlpC5GiptUw2qv5Nan6hI7G2f7S5V:9NDPqBEWbq2qv7J
                                      MD5:2813455700FB7C1BC09738CA56AE7DA7
                                      SHA1:54DE0B23A10ACC5A97C61B00DBFEE9A4B4CE0A80
                                      SHA-256:DFCB3E6ED0B16BC55BFDBCF53543CFE42A354B87C3E35BD3A95EEBF005D73E76
                                      SHA-512:49C2D2F22DAADB2B3D60344C2B4B1387C79EE8DC56FDC3D9E023088F1A5A18469A220A499802C1AA58498FB3DCC0D070E6C9FEA9EEA470C072EB8F8D02B9E647
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.....uF..uF..uF...F..uF..tG..uF...F..uF..pG..uF..qG..uF..vG..uF..tG..uF..tF..uF..uF..uF..qG..uF..pG..uF..uG..uF...F..uF..wG..uFRich..uF................PE..d...}.hc.........." ...!.F)..X.......L).......................................?...........`.........................................p.;..*..h.=.,.....?.......=..4............?.p....W8..............................V8.@............`)..............................text....E)......F)................. ..`.rdata..$....`)......J).............@..@.data....[... =..T....=.............@....pdata...4....=..6...Z=.............@..@.rsrc.........?.......?.............@..@.reloc..p.....?.......?.............@..B........................................................................................................................................................................................................................

                                      C:\Users\user\Desktop\x64\leptonica-1.82.0.dll.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):4168192
                                      Entropy (8bit):6.666546959084921
                                      Encrypted:false
                                      SSDEEP:49152:AyeqkefPjBthD9lmJ/teqmlWjIBpSbVqS/hlpC5GiptUw2qv5Nan6hI7G2f7S5V:9NDPqBEWbq2qv7J
                                      MD5:2813455700FB7C1BC09738CA56AE7DA7
                                      SHA1:54DE0B23A10ACC5A97C61B00DBFEE9A4B4CE0A80
                                      SHA-256:DFCB3E6ED0B16BC55BFDBCF53543CFE42A354B87C3E35BD3A95EEBF005D73E76
                                      SHA-512:49C2D2F22DAADB2B3D60344C2B4B1387C79EE8DC56FDC3D9E023088F1A5A18469A220A499802C1AA58498FB3DCC0D070E6C9FEA9EEA470C072EB8F8D02B9E647
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.....uF..uF..uF...F..uF..tG..uF...F..uF..pG..uF..qG..uF..vG..uF..tG..uF..tF..uF..uF..uF..qG..uF..pG..uF..uG..uF...F..uF..wG..uFRich..uF................PE..d...}.hc.........." ...!.F)..X.......L).......................................?...........`.........................................p.;..*..h.=.,.....?.......=..4............?.p....W8..............................V8.@............`)..............................text....E)......F)................. ..`.rdata..$....`)......J).............@..@.data....[... =..T....=.............@....pdata...4....=..6...Z=.............@..@.rsrc.........?.......?.............@..@.reloc..p.....?.......?.............@..B........................................................................................................................................................................................................................

                                      C:\Users\user\Desktop\x64\tesseract50.dll (copy)

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):2788352
                                      Entropy (8bit):6.73983803697782
                                      Encrypted:false
                                      SSDEEP:49152:zEuBRPoTZPD1JvFQomLfqqzn1CKVnc235nlilIQ9O6/J:DY1rg1BFcU8T
                                      MD5:446370B590A3C14E0FDA0A2029B8E6FA
                                      SHA1:58D38C3E3ACC8FB6C9E6E540E5877F89E09B5272
                                      SHA-256:DE4D04EC75095374D98F5DD7A60D14D7E2E0F76589DB693ECCF7AE658BE8CB2B
                                      SHA-512:51E29A643DD9D873AD67BD73B0FA05D887E3D1F6914227AA20513F1CBF6CE58088F24AC228087CA4A4470D93558769369F0065CD409083A6F140E17D66935C25
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.2.9.\J9.\J9.\J0..J-.\J_..J8.\Jk.XK1.\Jk._K=.\Jk.YK%.\Jk.]K?.\J..]K;.\J-.]K<.\J9.]J..\J..YK..\J..\K8.\J...J8.\J..^K8.\JRich9.\J................PE..d.....a.........." ................4.........................................+...........`...........................................%..i..l.(.T.....*.......)..*............*..... .#.......................#.(...@.#.8...............h............................text............................... ..`.rdata..6U.......V..................@..@.data...hg...@)..4....).............@....pdata...*....)..,...P).............@..@.rsrc.........*......|*.............@..@.reloc........*......~*.............@..B................................................................................................................................................................................................................................

                                      C:\Users\user\Desktop\x64\tesseract50.dll.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):2788352
                                      Entropy (8bit):6.73983803697782
                                      Encrypted:false
                                      SSDEEP:49152:zEuBRPoTZPD1JvFQomLfqqzn1CKVnc235nlilIQ9O6/J:DY1rg1BFcU8T
                                      MD5:446370B590A3C14E0FDA0A2029B8E6FA
                                      SHA1:58D38C3E3ACC8FB6C9E6E540E5877F89E09B5272
                                      SHA-256:DE4D04EC75095374D98F5DD7A60D14D7E2E0F76589DB693ECCF7AE658BE8CB2B
                                      SHA-512:51E29A643DD9D873AD67BD73B0FA05D887E3D1F6914227AA20513F1CBF6CE58088F24AC228087CA4A4470D93558769369F0065CD409083A6F140E17D66935C25
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.2.9.\J9.\J9.\J0..J-.\J_..J8.\Jk.XK1.\Jk._K=.\Jk.YK%.\Jk.]K?.\J..]K;.\J-.]K<.\J9.]J..\J..YK..\J..\K8.\J...J8.\J..^K8.\JRich9.\J................PE..d.....a.........." ................4.........................................+...........`...........................................%..i..l.(.T.....*.......)..*............*..... .#.......................#.(...@.#.8...............h............................text............................... ..`.rdata..6U.......V..................@..@.data...hg...@)..4....).............@....pdata...*....)..,...P).............@..@.rsrc.........*......|*.............@..@.reloc........*......~*.............@..B................................................................................................................................................................................................................................

                                      C:\Users\user\Desktop\x86\SQLite.Interop.dll (copy)

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1257472
                                      Entropy (8bit):6.763508943930235
                                      Encrypted:false
                                      SSDEEP:24576:UkK4+7HQip0XnKcTN3N/qUIfAuGk/Zbqw3u3yRtQbp/l+rbtqSEAl:Z+7HJp06iDV6ZbJ3uPpdVSEa
                                      MD5:20F57CDC2BBF1921AEAFC24A3550BAFB
                                      SHA1:E20D2AD819B47F58EBEAC880BD10C04F2C7C368C
                                      SHA-256:B1D183195F39D03573312CA6B232869B2D06B2DD9AFB8E7896F61EEE3EE87224
                                      SHA-512:9A2F663DFA528CE5DD27DFAD3717F146FD7074DE30916C675488F7B4E718BF0AA0B5007B937FF1FA32ACDD7C7CB1B4166C5EF0744AA599370B01C33076429FD3
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.,.2...2...2..(.`..2..(.b..2..(.c..2...l.~.2...l.~.2...l.~.2..A.Z..2...2...2...l.~.2...l.~.2...ln..2...l.~.2..Rich.2..........PE..L......\...........!.........................0...............................p............@..........................V...1......<.......<.......................$....N..p............................O..@............0...............................text............................... ..`.rdata...c...0...d..................@..@.data............"..................@....gfids..............................@..@.rsrc...<...........................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................

                                      C:\Users\user\Desktop\x86\SQLite.Interop.dll.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1257472
                                      Entropy (8bit):6.763508943930235
                                      Encrypted:false
                                      SSDEEP:24576:UkK4+7HQip0XnKcTN3N/qUIfAuGk/Zbqw3u3yRtQbp/l+rbtqSEAl:Z+7HJp06iDV6ZbJ3uPpdVSEa
                                      MD5:20F57CDC2BBF1921AEAFC24A3550BAFB
                                      SHA1:E20D2AD819B47F58EBEAC880BD10C04F2C7C368C
                                      SHA-256:B1D183195F39D03573312CA6B232869B2D06B2DD9AFB8E7896F61EEE3EE87224
                                      SHA-512:9A2F663DFA528CE5DD27DFAD3717F146FD7074DE30916C675488F7B4E718BF0AA0B5007B937FF1FA32ACDD7C7CB1B4166C5EF0744AA599370B01C33076429FD3
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.,.2...2...2..(.`..2..(.b..2..(.c..2...l.~.2...l.~.2...l.~.2..A.Z..2...2...2...l.~.2...l.~.2...ln..2...l.~.2..Rich.2..........PE..L......\...........!.........................0...............................p............@..........................V...1......<.......<.......................$....N..p............................O..@............0...............................text............................... ..`.rdata...c...0...d..................@..@.data............"..................@....gfids..............................@..@.rsrc...<...........................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................

                                      C:\Users\user\Desktop\x86\leptonica-1.82.0.dll (copy)

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3379712
                                      Entropy (8bit):6.86501364649086
                                      Encrypted:false
                                      SSDEEP:49152:QPQ3LXmkoChDOtojwcyQc0Iq3jzfzGL+ON4Ge/MKFVsrpouf/xo7r2+gu:sQbXmkF/8+4SFqNfc
                                      MD5:E62F9EF3DD31DF439FA2A37793B035DB
                                      SHA1:14497CBF51B94AF3D89E7527B08E9199933F560C
                                      SHA-256:1700330110ADA8E4F07FB063915E60E2B585AD87D9B1948093945E4645B66D08
                                      SHA-512:11AE50C42B393DC8F2F19E75E50D348F186FCD4150F96B2564B3BF6D61C6230F14EAB0C61CDA10824735C5E0A44753D181B2932931D7EA4986C7ADCA2D12BD1F
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.D.[...[...[...#x..[..O ...[..O ...[..O ...[..O ...[...0...[...[..B[...[...[..A ..k[..A ..|[..A ...[..A ...[..A ...[..Rich.[..........................PE..L...M.hc...........!...!.."..........."......."...............................3...........@...........................0..*....1.,....02......................@2......0...............................0.@.............".$............................text...."......."................. ..`.rdata........".......".............@..@.data....T....1..P....1.............@....rsrc........02.......2.............@..@.reloc.......@2.......2.............@..B................................................................................................................................................................................................................................................................................

                                      C:\Users\user\Desktop\x86\leptonica-1.82.0.dll.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3379712
                                      Entropy (8bit):6.86501364649086
                                      Encrypted:false
                                      SSDEEP:49152:QPQ3LXmkoChDOtojwcyQc0Iq3jzfzGL+ON4Ge/MKFVsrpouf/xo7r2+gu:sQbXmkF/8+4SFqNfc
                                      MD5:E62F9EF3DD31DF439FA2A37793B035DB
                                      SHA1:14497CBF51B94AF3D89E7527B08E9199933F560C
                                      SHA-256:1700330110ADA8E4F07FB063915E60E2B585AD87D9B1948093945E4645B66D08
                                      SHA-512:11AE50C42B393DC8F2F19E75E50D348F186FCD4150F96B2564B3BF6D61C6230F14EAB0C61CDA10824735C5E0A44753D181B2932931D7EA4986C7ADCA2D12BD1F
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.D.[...[...[...#x..[..O ...[..O ...[..O ...[..O ...[...0...[...[..B[...[...[..A ..k[..A ..|[..A ...[..A ...[..A ...[..Rich.[..........................PE..L...M.hc...........!...!.."..........."......."...............................3...........@...........................0..*....1.,....02......................@2......0...............................0.@.............".$............................text...."......."................. ..`.rdata........".......".............@..@.data....T....1..P....1.............@....rsrc........02.......2.............@..@.reloc.......@2.......2.............@..B................................................................................................................................................................................................................................................................................

                                      C:\Users\user\Desktop\x86\tesseract50.dll (copy)

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):2336768
                                      Entropy (8bit):6.894094251328808
                                      Encrypted:false
                                      SSDEEP:49152:cDrN2OaIP2WOIyZPQhd7aLcrmArnVaB8DqYv4W6rXoYO:cDrN2OaIP2ZIE4fCUmArnk+DqYQ
                                      MD5:A87BA6AC613B8ECB5ED033E57B871E6F
                                      SHA1:39F6C33B5E9CAE045854B711AF29FC4B916B79BF
                                      SHA-256:7F4873CDB78B9CD18C069EAE434D38DD14E987531866463357CF51C016241820
                                      SHA-512:8CAC87AAF7F7E335C82BBB4ADACDAF81DF9D36E719FD26A1B1E95F169134013677EA06202A3B9C5A3E02584D3CA6CD629AE34C6B8D70BD74FF2E2A2E6C474C7D
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q..................s......G.....G.....G.....G...................y......................Rich...........PE..L.....a...........!................<.........................................$...........@..........................$...S..xx".@.....#.......................#.H.......................................@............................................text............................... ..`.rdata..............................@..@.data....O...."..*....".............@....rsrc.........#.......".............@..@.reloc..H.....#.......".............@..B................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\Desktop\x86\tesseract50.dll.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):2336768
                                      Entropy (8bit):6.894094251328808
                                      Encrypted:false
                                      SSDEEP:49152:cDrN2OaIP2WOIyZPQhd7aLcrmArnVaB8DqYv4W6rXoYO:cDrN2OaIP2ZIE4fCUmArnk+DqYQ
                                      MD5:A87BA6AC613B8ECB5ED033E57B871E6F
                                      SHA1:39F6C33B5E9CAE045854B711AF29FC4B916B79BF
                                      SHA-256:7F4873CDB78B9CD18C069EAE434D38DD14E987531866463357CF51C016241820
                                      SHA-512:8CAC87AAF7F7E335C82BBB4ADACDAF81DF9D36E719FD26A1B1E95F169134013677EA06202A3B9C5A3E02584D3CA6CD629AE34C6B8D70BD74FF2E2A2E6C474C7D
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q..................s......G.....G.....G.....G...................y......................Rich...........PE..L.....a...........!................<.........................................$...........@..........................$...S..xx".@.....#.......................#.H.......................................@............................................text............................... ..`.rdata..............................@..@.data....O...."..*....".............@....rsrc.........#.......".............@..@.reloc..H.....#.......".............@..B................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Fonts\DS-Digital.ttf

                                      Download File
                                      Process:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      File Type:TrueType Font data, 15 tables, 1st "OS/2", 21 names, Unicode
                                      Category:dropped
                                      Size (bytes):24448
                                      Entropy (8bit):6.021815002677403
                                      Encrypted:false
                                      SSDEEP:384:vGghlfJ9PrivEdmCn9C3SOEt6zV62qvH+h7jf43W8TUZw0MvH+h7jf43W8TUZhwK:lrikmC9CCOEt6z/qvH+h7r4G8TIw0Mvg
                                      MD5:63F874D192FB3892D88D5E26F942B5E2
                                      SHA1:1CE1ED312B41A237CB253C706290C0FD7287859D
                                      SHA-256:87EB14D41EEEAC0BD7FE0C62ECE05134BBF1EE8059B6E3E701D7F4A7799506DC
                                      SHA-512:ACEA89E459D5EDB937056E86D1E9ACC430206957B7DB98C67AA0D629013BF8F626E29684199D86F712CAED6E3F265A984E0EEFD6E33E7FF3DB77057720AB7F5C
                                      Malicious:false
                                      Preview:.......0....OS/2...l..X0...NPCLT..Cv..X....6cmapv."/..T....<cvt ......W....Lfpgm.\........dglyfvS.5......KVhdmx&.T`..X.....head..........6hhea.x.L...4...$hmtx.;....V<....loca..h...Q\....maxp._.....X... nameD.....x...upost.]....S.....prepZ......T................_.<....L....6.......6......E.......................8...........................j.....j.R...........@.....d.......................Y......................./.........P.c.....................X............._.........Y.........................).........(.;.....................,.............U...........Y......................./.........P.c.....................X............._Font Typeface: DS-Digital. Created by Dusit Supasawat , DS-Font 1998. All Rights Reserved.F.o.n.t. .T.y.p.e.f.a.c.e.:. .D.S.-.D.i.g.i.t.a.l... .C.r.e.a.t.e.d. .b.y. .D.u.s.i.t. .S.u.p.a.s.a.w.a.t. .,. .D.S.-.F.o.n.t. .1.9.9.8... .A.l.l. .R.i.g.h.t.s. .R.e.s.e.r.v.e.dDS-Digital.D.S.-.D.i.g.i.t.a.lNormal.N.o.r.m.a.lDusit Supasawat: DS-Digital: Version 1.1.D.u.s.i.t.

                                      \Device\ConDrv

                                      Download File
                                      Process:C:\Windows\SysWOW64\netsh.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):7
                                      Entropy (8bit):2.2359263506290326
                                      Encrypted:false
                                      SSDEEP:3:t:t
                                      MD5:F1CA165C0DA831C9A17D08C4DECBD114
                                      SHA1:D750F8260312A40968458169B496C40DACC751CA
                                      SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                                      SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                                      Malicious:false
                                      Preview:Ok.....

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.979590120899689
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.62%
                                      • Win32 Executable (generic) a (10002005/4) 49.57%
                                      • Windows ActiveX control (116523/4) 0.58%
                                      • InstallShield setup (43055/19) 0.21%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:sZSXKXOnBw.exe
                                      File size:40'714'240 bytes
                                      MD5:7e9bb4d78101740566c64724c56573b9
                                      SHA1:5cf8ba12af98c1f0b90ab15cfecc1fc5f3241372
                                      SHA256:90bfce53578f6f532e9947668112eeab461acc176f499feec880a9326815214e
                                      SHA512:c240ffd40007ce2d67e72bc52c0b3348e1c07b3b2a340543781363617690e5607d6d0cfab2bb7db57aa895081c817dc2a550cf2929040ebfa2aacb67fb76e86d
                                      SSDEEP:786432:FYXQkw++7HaRK+qjAnv7aXWFOJRD600LPGiH72CujWDhgPwlm5v1npyDu:FcdYEK++An2WFOJRD600LPGiHpfhgPw6
                                      TLSH:8597128E2160D1F3FD83883AF26296997D617E45532394CFFB10325E97392E616B40BB
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.,f..........#..........0L.............. ....@..........................pm.....T.m....................................

                                      File Icon

                                      Icon Hash:0f33315c7871138f

                                      Static PE Info

                                      General

                                      Entrypoint:0x43d9f9
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                      Time Stamp:0x662CE760 [Sat Apr 27 11:54:08 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:2abab44f29387a768ac32ec5f31bee3f

                                      Entrypoint Preview

                                      Instruction
                                      call 00007FC0F16809BDh
                                      jmp 00007FC0F16782ACh
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      mov ecx, dword ptr [esp+04h]
                                      test ecx, 00000003h
                                      je 00007FC0F16784B6h
                                      mov al, byte ptr [ecx]
                                      add ecx, 01h
                                      test al, al
                                      je 00007FC0F16784E0h
                                      test ecx, 00000003h
                                      jne 00007FC0F1678481h
                                      add eax, 00000000h
                                      lea esp, dword ptr [esp+00000000h]
                                      lea esp, dword ptr [esp+00000000h]
                                      mov eax, dword ptr [ecx]
                                      mov edx, 7EFEFEFFh
                                      add edx, eax
                                      xor eax, FFFFFFFFh
                                      xor eax, edx
                                      add ecx, 04h
                                      test eax, 81010100h
                                      je 00007FC0F167847Ah
                                      mov eax, dword ptr [ecx-04h]
                                      test al, al
                                      je 00007FC0F16784C4h
                                      test ah, ah
                                      je 00007FC0F16784B6h
                                      test eax, 00FF0000h
                                      je 00007FC0F16784A5h
                                      test eax, FF000000h
                                      je 00007FC0F1678494h
                                      jmp 00007FC0F167845Fh
                                      lea eax, dword ptr [ecx-01h]
                                      mov ecx, dword ptr [esp+04h]
                                      sub eax, ecx
                                      ret
                                      lea eax, dword ptr [ecx-02h]
                                      mov ecx, dword ptr [esp+04h]
                                      sub eax, ecx
                                      ret
                                      lea eax, dword ptr [ecx-03h]
                                      mov ecx, dword ptr [esp+04h]
                                      sub eax, ecx
                                      ret
                                      lea eax, dword ptr [ecx-04h]
                                      mov ecx, dword ptr [esp+04h]
                                      sub eax, ecx
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 20h
                                      mov eax, dword ptr [ebp+08h]
                                      push esi
                                      push edi
                                      push 00000008h
                                      pop ecx
                                      mov esi, 00452628h
                                      lea edi, dword ptr [ebp-20h]
                                      rep movsd
                                      mov dword ptr [ebp-08h], eax
                                      mov eax, dword ptr [ebp+0Ch]
                                      test eax, eax
                                      pop edi
                                      mov dword ptr [ebp-04h], eax
                                      pop esi

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x693100x104.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3620000x2374db0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5f4480x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x520000x440.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x50a400x5100016ec38802287decd4bc23d69fc52a092False0.5337968991126543data6.7656997091833615IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x520000x1898e0x190001883c5c8e6ff2a036fe442f385831eaeFalse0.323076171875data5.19947779312424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x6b0000x137df80x135000791acd23cadf1ad6d6044b7f7ca4ff46False0.44402463845064727data6.63015819748243IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .GS.0x1a30000x1be1600x1bf0000cd68c92d404c165eb7c7f011622246cFalse0.9397016350321589data7.697127639688447IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x3620000x2374db00x2375000bee8a5182992c62a06167d30aaa0772aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x3621780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.14657598499061913
                                      RT_RCDATA0x3632200x2372acfdata0.9406948089599609
                                      RT_GROUP_ICON0x26d5cf00x14data1.1
                                      RT_VERSION0x26d5d040x352data0.4388235294117647
                                      RT_MANIFEST0x26d60580xd57XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.39092240117130306

                                      Imports

                                      DLLImport
                                      KERNEL32.dllFreeLibrary, Sleep, GetTickCount, InterlockedIncrement, InterlockedDecrement, SetLastError, HeapFree, GetProcessHeap, HeapReAlloc, HeapAlloc, InitializeCriticalSection, DeleteCriticalSection, FindResourceExA, GetUserDefaultUILanguage, GetCurrentProcessId, CompareStringW, CloseHandle, SetEvent, GetLastError, CompareStringA, WaitForSingleObject, lstrcpyW, GetSystemTimeAsFileTime, FindFirstFileW, FindClose, WriteFile, lstrcatW, SetFileTime, FormatMessageA, GetModuleFileNameW, CreateFileA, ReadFile, IsBadReadPtr, SetFilePointer, CreateEventA, GetModuleFileNameA, GetCurrentProcess, GetWindowsDirectoryA, GetVolumeInformationA, FlushInstructionCache, WriteConsoleW, SetEnvironmentVariableW, WriteConsoleA, FlushFileBuffers, SetStdHandle, GetStringTypeW, GetStringTypeA, QueryPerformanceCounter, GetCommandLineW, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetConsoleMode, GetConsoleCP, GetStartupInfoA, GetFileType, SetHandleCount, LCMapStringW, LCMapStringA, IsValidCodePage, GetOEMCP, GetCPInfo, GetTimeZoneInformation, GetCurrentThreadId, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetStdHandle, HeapCreate, VirtualFree, RtlUnwind, GetStartupInfoW, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, CreateThread, ResumeThread, ExitThread, GetSystemInfo, VirtualAlloc, GetThreadLocale, GetLocaleInfoA, GetACP, HeapSize, HeapDestroy, GetVersionExA, RaiseException, WideCharToMultiByte, lstrlenW, lstrcmpiW, SetEnvironmentVariableA, IsBadWritePtr, VirtualProtect, VirtualQuery, lstrcmpiA, MultiByteToWideChar, GlobalAlloc, ExitProcess, lstrcmpA, LoadLibraryA, GetProcAddress, LockResource, LoadResource, SizeofResource, FindResourceA, lstrcpyA, lstrlenA, GetModuleHandleA, InterlockedExchange, GlobalFree, GlobalUnlock, LeaveCriticalSection, GlobalLock, EnterCriticalSection, GetConsoleOutputCP
                                      USER32.dllUnregisterClassA, ReleaseDC, GetWindowTextA, GetWindowRect, SetCursor, GetWindowLongA, LoadCursorA, GetSystemMetrics, SetWindowLongA, GetParent, GetCursorPos, GetDesktopWindow, MapWindowPoints, SetWindowPos, SendMessageA, SetForegroundWindow, ReleaseCapture, PostMessageA, BeginPaint, GetMessageA, TranslateMessage, DrawIcon, DispatchMessageA, LoadIconA, CreateDialogIndirectParamA, SetTimer, EndPaint, LoadStringA, SetClassLongA, KillTimer, DestroyWindow, EndDialog, PtInRect, GetDC, DrawEdge, InvalidateRect, GetClassNameA, PostQuitMessage, OffsetRect, TrackMouseEvent, LoadImageA, ScreenToClient, SetActiveWindow, GetWindowTextLengthA, IsDialogMessageA, SetWindowTextA, EnableWindow, GetActiveWindow, UpdateWindow, AdjustWindowRectEx, CallWindowProcA, CreateWindowExA, RegisterClassExA, DefWindowProcA, ShowWindow, SetFocus, TranslateAcceleratorA, DrawFocusRect, DrawTextA, SetCapture, MessageBoxA, wsprintfA, GetClientRect, FillRect
                                      GDI32.dllDeleteObject, CreateDIBSection, CreateSolidBrush, LineTo, MoveToEx, CreatePen, CreateCompatibleBitmap, CreateFontIndirectA, CreateCompatibleDC, DeleteDC, TextOutA, GetObjectA, SetBkMode, GetStockObject, StretchBlt, SetDIBColorTable, GetDIBColorTable, SelectObject, BitBlt, GetTextExtentPointA, SetTextColor
                                      ADVAPI32.dllRegQueryValueExA, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, RegSetValueExA
                                      ole32.dllCoSetProxyBlanket, CoInitializeEx, CreateStreamOnHGlobal, CoCreateInstance
                                      OLEAUT32.dllSafeArrayGetElement, SafeArrayGetLBound, SafeArrayGetUBound, GetErrorInfo, SafeArrayPutElement, SysAllocStringLen, VariantChangeType, VariantTimeToSystemTime, SystemTimeToVariantTime, SafeArrayDestroy, SysAllocString, SysFreeString, SysStringLen, SafeArrayCreateVector, SafeArrayAccessData, SafeArrayUnaccessData, VariantInit, VariantClear
                                      SHLWAPI.dllStrRChrW
                                      gdiplus.dllGdipDeleteGraphics, GdipGetImagePaletteSize, GdipGetImageGraphicsContext, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipGetImagePalette, GdipBitmapLockBits, GdipDisposeImage, GdipDrawImageI, GdipFree, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipBitmapUnlockBits, GdipAlloc
                                      MSIMG32.dllTransparentBlt, AlphaBlend
                                      iphlpapi.dllGetAdaptersInfo
                                      VERSION.dllGetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 12, 2025 16:11:43.217047930 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:43.217082977 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.217217922 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:43.234405041 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:43.234420061 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.700575113 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.700654030 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:43.705580950 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:43.705590963 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.705988884 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.808856010 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:43.855320930 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.956645012 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.956821918 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.956882954 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:43.956898928 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.956994057 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.957092047 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.957185984 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:43.957191944 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.957231998 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:43.957237005 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.957529068 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.957627058 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.957678080 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:43.957683086 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.957722902 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:43.961380959 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.971857071 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:43.971968889 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:43.971975088 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:44.018594980 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:44.049977064 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:44.050194025 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:44.050250053 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:44.050257921 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:44.050354004 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:44.050395012 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:44.050400019 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:44.050550938 CET44349739185.199.111.133192.168.2.4
                                      Jan 12, 2025 16:11:44.050653934 CET49739443192.168.2.4185.199.111.133
                                      Jan 12, 2025 16:11:44.054094076 CET49739443192.168.2.4185.199.111.133

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 12, 2025 16:11:43.203854084 CET5777053192.168.2.41.1.1.1
                                      Jan 12, 2025 16:11:43.210571051 CET53577701.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jan 12, 2025 16:11:43.203854084 CET192.168.2.41.1.1.10xff52Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jan 12, 2025 16:11:43.210571051 CET1.1.1.1192.168.2.40xff52No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                      Jan 12, 2025 16:11:43.210571051 CET1.1.1.1192.168.2.40xff52No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                      Jan 12, 2025 16:11:43.210571051 CET1.1.1.1192.168.2.40xff52No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                      Jan 12, 2025 16:11:43.210571051 CET1.1.1.1192.168.2.40xff52No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • raw.githubusercontent.com

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449739185.199.111.1334432724C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-12 15:11:43 UTC110OUTGET /AYAAN1980/HtmlPDF/main/DS-DIGIT.TTF HTTP/1.1
                                      Host: raw.githubusercontent.com
                                      Connection: Keep-Alive
                                      2025-01-12 15:11:43 UTC900INHTTP/1.1 200 OK
                                      Connection: close
                                      Content-Length: 24448
                                      Cache-Control: max-age=300
                                      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                      Content-Type: application/octet-stream
                                      ETag: "89bc54705259d3f2d32d84e9147123d7f2488f209e9d33e6848c46257a817326"
                                      Strict-Transport-Security: max-age=31536000
                                      X-Content-Type-Options: nosniff
                                      X-Frame-Options: deny
                                      X-XSS-Protection: 1; mode=block
                                      X-GitHub-Request-Id: 50B0:EFC23:18EBD30:1BD1C96:6783D90E
                                      Accept-Ranges: bytes
                                      Date: Sun, 12 Jan 2025 15:11:43 GMT
                                      Via: 1.1 varnish
                                      X-Served-By: cache-ewr-kewr1740070-EWR
                                      X-Cache: HIT
                                      X-Cache-Hits: 0
                                      X-Timer: S1736694704.861146,VS0,VE54
                                      Vary: Authorization,Accept-Encoding,Origin
                                      Access-Control-Allow-Origin: *
                                      Cross-Origin-Resource-Policy: cross-origin
                                      X-Fastly-Request-ID: 6d10d7552cc469b509965389bea83bd1c6fb9dae
                                      Expires: Sun, 12 Jan 2025 15:16:43 GMT
                                      Source-Age: 0
                                      2025-01-12 15:11:43 UTC1378INData Raw: 00 01 00 00 00 0f 00 30 00 03 00 c0 4f 53 2f 32 98 88 81 6c 00 00 58 30 00 00 00 4e 50 43 4c 54 ab 1b 43 76 00 00 58 80 00 00 00 36 63 6d 61 70 76 b8 22 2f 00 00 54 00 00 00 02 3c 63 76 74 20 0b bc 11 d9 00 00 57 e4 00 00 00 4c 66 70 67 6d 98 5c dc a2 00 00 04 f0 00 00 00 64 67 6c 79 66 76 53 14 35 00 00 06 04 00 00 4b 56 68 64 6d 78 26 f2 54 60 00 00 58 b8 00 00 06 c8 68 65 61 64 d3 9d c6 7f 00 00 00 fc 00 00 00 36 68 68 65 61 03 78 07 4c 00 00 01 34 00 00 00 24 68 6d 74 78 18 3b c6 1a 00 00 56 3c 00 00 01 a8 6c 6f 63 61 00 0f 68 da 00 00 51 5c 00 00 01 ac 6d 61 78 70 01 5f 00 ef 00 00 01 58 00 00 00 20 6e 61 6d 65 44 e8 ad 07 00 00 01 78 00 00 03 75 70 6f 73 74 0c 5d 0b f7 00 00 53 08 00 00 00 f6 70 72 65 70 5a d5 ef f7 00 00 05 54 00 00 00 ad 00 01 00
                                      Data Ascii: 0OS/2lX0NPCLTCvX6cmapv"/T<cvt WLfpgm\dglyfvS5KVhdmx&T`Xhead6hheaxL4$hmtx;V<locahQ\maxp_X nameDxupost]SprepZT
                                      2025-01-12 15:11:43 UTC1378INData Raw: 45 01 8d b8 01 ff 85 76 45 68 44 18 b3 02 0b 46 00 2b b3 03 00 46 00 2b b3 04 01 46 00 2b b3 05 0b 46 00 2b b3 06 00 46 00 2b b3 07 01 46 00 2b b3 08 0f 46 00 2b b3 09 01 46 00 2b b3 0a 00 46 00 2b b3 0c 01 46 00 2b b3 0d 0b 46 00 2b b3 0e 01 46 00 2b b3 10 0f 46 00 2b b3 11 0f 46 00 2b b3 12 0b 46 00 2b b3 13 0b 46 00 2b b3 14 01 46 00 2b b3 15 01 46 00 2b b3 16 0f 46 00 2b b3 17 01 46 00 2b b3 18 01 46 00 2b b3 19 0b 46 00 2b 45 68 44 45 68 44 45 68 44 45 68 44 45 68 44 00 00 00 00 02 00 22 00 00 02 04 03 84 00 03 00 07 00 3d 40 1b 07 04 1b 00 06 05 1b 01 05 04 1a 03 02 07 06 1a 01 00 02 01 06 03 00 0b 01 00 46 76 2f 37 18 00 3f 3c 3f 3c 01 2f 3c fd 3c 2f 3c fd 3c 00 10 fd 3c 10 fd 3c 31 30 b2 08 00 05 2b 33 11 21 11 27 11 21 11 22 01 e2 22 fe 62 03 84
                                      Data Ascii: EvEhDF+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+F+EhDEhDEhDEhDEhD"=@Fv/7?<?</<</<<<<10+3!'!""b
                                      2025-01-12 15:11:43 UTC1378INData Raw: 01 12 2b 2b 1a 2d 29 24 1d 03 18 1a 27 26 1b 03 1a 0f 0e 09 03 08 1a 11 0c 0b 03 06 05 04 00 20 1f 0b 01 1a 46 76 2f 37 18 00 3f 3c 3f 3c 01 2f 17 3c fd 17 3c 2f 17 3c fd 17 3c 2f fd 10 d6 00 3f 3c 3c fd 3c 3c 10 fd 3c 10 fd 3c 3f d6 10 fd 3f 3c d6 3c 01 11 12 39 11 12 39 11 12 39 11 12 39 11 12 39 00 11 12 39 11 12 39 10 3c 11 12 39 00 2e 01 2e 2e 2e 31 30 b2 2e 1a 05 2b 01 07 23 27 37 33 13 07 27 35 37 17 11 07 27 35 37 17 27 07 21 27 37 21 25 07 27 35 37 17 01 07 23 27 37 33 25 07 27 35 37 17 25 27 37 17 01 ac 25 f3 25 25 f3 58 1b 2f 25 25 25 25 2f 1b 29 26 fe fb 25 25 01 05 fe f7 2f 1c 25 26 01 25 25 f3 25 25 f3 ff 00 26 25 1c 2f 01 70 26 26 25 02 97 26 26 25 fe cc 1c 2f 45 26 26 fe 79 26 26 c8 2f 1d 2b 25 25 25 18 2f 1c db 26 26 fd c2 25 25 26 0e 26
                                      Data Ascii: ++-)$'& Fv/7?<?</<</<</?<<<<<<??<<9999999<9....10.+#'73'57'57'!'7!%'57#'73%'57%'7%%%X/%%%%/)&%%/%&%%%%&%/p&&%&&%/E&&y&&/+%%%/&&%%&&
                                      2025-01-12 15:11:43 UTC1378INData Raw: 00 04 01 d6 02 c3 00 04 00 09 00 34 40 12 09 05 03 02 06 1a 08 00 01 07 07 01 07 00 5d 01 0b 78 00 76 3f 76 3f 18 00 87 2e 0e c4 0e c4 0e c4 0e fc 0e c4 0e c4 0e c4 00 2e 31 30 b2 0a 02 05 2b 13 03 27 3f 01 27 3f 01 03 07 f6 b6 1c 88 3f 03 87 67 b7 26 01 40 fe c4 66 ea 12 58 ea 1b fe c6 0b 00 00 06 00 3c 00 00 01 df 02 bc 00 04 00 08 00 0d 00 12 00 16 00 1b 00 79 40 3d 14 13 08 05 18 01 00 02 0a 09 0b 0a 01 1a 11 15 0e 1b 1c 00 19 0e 07 06 1b 05 16 15 1b 13 1b 17 0d 03 09 1a 19 18 0c 03 0b 10 0f 03 03 02 1a 12 0e 04 03 00 08 05 00 14 13 0b 01 0b 46 76 2f 37 18 00 3f 3c 3f 3c 01 2f 17 3c fd 17 3c 2f 17 3c fd 17 3c 00 10 fd 3c 10 fd 3c 3f d6 10 fd 3f 3c d6 3c 01 11 12 39 11 12 39 00 2e 01 2e 2e 2e 2e 31 30 b2 1c 0b 05 2b 01 07 27 35 37 27 07 23 27 13 07 27
                                      Data Ascii: 4@]xv?v?..10+'?'??g&@fX<y@=Fv/7?<?</<</<<<<??<<99.....10+'57'#''
                                      2025-01-12 15:11:43 UTC1378INData Raw: 37 33 25 15 07 11 37 27 11 17 15 07 05 11 27 35 37 27 17 07 21 27 37 01 d1 4a f3 4a 01 87 fe 79 4a f3 ff 00 4b 1c 1c 4b 2f 01 87 4a 2f 34 26 26 fe fb 25 25 02 bc 4b 4b fd 44 4b d6 c8 4b 01 25 1d 38 01 26 4b c8 2f 39 fe db 4b c8 2f 33 25 25 25 25 00 03 00 4a 00 0e 01 df 02 bc 00 03 00 08 00 0d 00 47 40 20 03 00 08 04 06 0d 08 15 02 01 1b 00 0a 09 07 03 06 1a 0c 0b 05 03 04 03 00 00 05 0d 78 01 03 46 76 2f 37 18 00 76 3f 18 3f 3c 01 2f 17 3c fd 17 3c 00 10 fd 3c 3f d6 01 11 12 39 01 2e 2e 31 30 b2 0e 03 05 2b 01 07 23 27 01 11 27 35 37 27 35 37 11 07 01 d1 4a f3 4a 01 95 4a 2f 2f 4a 1b 02 bc 4b 4b fe 77 fe db 4b c8 2f 4b c8 4b fe da 1c 00 07 00 3c 00 00 01 df 02 bc 00 03 00 07 00 0c 00 11 00 16 00 1b 00 21 00 8b 40 46 20 05 04 03 00 13 1d 1c 1e 16 12 14 0c
                                      Data Ascii: 73%7''57'!'7JJyJKK/J/4&&%%KKDKK%8&K/9K/3%%%%JG@ xFv/7v??</<<<?9..10+#''57'57JJJ//JKKwK/KK<!@F
                                      2025-01-12 15:11:43 UTC1378INData Raw: 1a 09 05 2b 01 07 27 35 37 17 27 07 21 27 21 01 07 11 37 17 25 17 07 21 27 37 03 23 15 33 01 df 1b 2f 25 25 33 25 ff 00 4b 01 4b ff 00 4b 1c 2f 01 09 26 26 fe fb 25 25 04 4b 4b 01 88 1c 2f c8 26 26 34 26 4b fd 9d 4b 01 25 1d 2f 62 25 25 25 25 fe 6f 4b 00 09 00 3c 00 00 02 3d 02 bc 00 04 00 09 00 0f 00 14 00 1a 00 1f 00 25 00 2b 00 31 00 00 01 07 27 35 37 27 07 21 27 37 05 07 21 27 37 21 13 27 35 37 17 05 07 27 35 37 17 01 21 27 37 33 25 07 27 35 37 17 07 37 17 15 07 27 17 27 37 21 17 07 02 3d 1c 2f 4b 0f 4a fe b0 25 25 01 7f 26 fe fb 25 25 01 05 50 4b 2f 1c fe 4a 2f 1c 25 26 01 a7 fe c3 25 25 f3 ff 00 26 25 1c 2f a8 1c 2f 26 25 58 25 25 01 84 25 25 02 01 1c 2f 4f 4b 0e 4b 26 25 e5 25 25 25 fe a7 4b ad 2e 1c 12 2f 1c db 26 26 fe 32 26 25 0e 25 25 bf 1c 2e
                                      Data Ascii: +'57'!'!7%!'7#3/%%3%KKK/&&%%KK/&&4&KK%/b%%%%oK<=%+1'57'!'7!'7!'57'57!'73%'577''7!=/KJ%%&%%PK/J/%&%%&%//&%X%%%%/OKK&%%%%K./&&2&%%%.
                                      2025-01-12 15:11:43 UTC1378INData Raw: 01 21 37 21 25 15 07 11 37 27 11 17 15 07 25 17 07 21 27 37 01 df 4a fe ff 4a 01 95 fe 6b 4a 01 01 fe f2 4b 1c 1c 4b 2f 01 38 26 26 fe fb 25 25 02 bc 4b 4b fd 44 4b d6 c8 4b 01 25 1d 38 01 26 4b c8 2f 17 25 25 25 25 00 04 00 3c 00 0e 01 df 02 bc 00 03 00 08 00 0d 00 13 00 5a 40 2a 12 03 00 0f 0e 10 08 04 06 0d 08 15 02 01 1b 00 13 0e 1b 11 10 0e 0c 0b 05 03 04 1a 0a 09 07 03 06 03 00 00 06 0d 78 01 06 46 76 2f 37 18 00 76 3f 18 3f 3c 01 2f 17 3c fd 17 3c 00 3f 3c fd 3c 10 fd 3c 3f d6 01 11 12 39 00 11 12 39 01 2e 2e 2e 31 30 b2 14 06 05 2b 01 07 21 27 13 15 07 11 37 27 11 17 15 07 25 17 07 21 27 37 01 df 4a fe ff 4a 3d 4b 1c 1c 4b 2f 01 38 26 26 fe fb 25 25 02 bc 4b 4b fe 65 c8 4b 01 25 1d 38 01 26 4b c8 2f 17 25 25 25 25 00 06 00 3c 00 00 01 df 02 bc 00
                                      Data Ascii: !7!%7'%!'7JJkJKK/8&&%%KKDKK%8&K/%%%%<Z@*xFv/7v??</<<?<<<?99...10+!'7'%!'7JJ=KK/8&&%%KKeK%8&K/%%%%<
                                      2025-01-12 15:11:43 UTC1378INData Raw: 00 3c 00 00 01 df 02 bc 00 03 00 08 00 0d 00 12 00 17 00 1d 00 89 40 43 00 0f 12 0e 10 19 1a 18 08 04 06 12 08 1c 17 0d 19 01 16 07 0e 02 01 1b 00 03 18 0c 0b 05 03 04 1a 06 14 13 11 03 10 1a 0e 0a 09 07 03 06 18 16 15 0f 03 0e 1a 1b 1a 1a 1d 18 03 00 00 06 0b 78 01 06 46 76 2f 37 18 00 76 3f 18 3f 3c 01 2f 3c fd 3c 10 dd 17 3c 10 dd 17 3c 31 10 fd 17 3c 10 fd 17 3c 10 d6 00 10 fd 3c 3f d6 10 d6 2f 3c 3c d6 3c 01 11 12 39 11 12 39 11 12 39 00 2e 01 2e 31 30 b2 1e 06 05 2b 01 07 23 27 13 15 07 11 37 27 11 17 15 07 05 11 27 35 37 27 35 37 11 07 27 37 17 15 07 27 01 d1 4a f3 4a 3d 4b 1c 1c 4b 2f 01 87 4a 2f 2f 4a 1b dc 25 26 26 25 02 bc 4b 4b fe 65 d6 4b 01 33 1d 38 01 26 4b c8 2f 39 fe cd 4b d6 2f 4b c8 4b fe da 1c cd 25 25 a7 26 26 00 00 05 00 3c 00 00 01
                                      Data Ascii: <@CxFv/7v??</<<<<1<<<?/<<<999..10+#'7''57'57'7'JJ=KK/J//J%&&%KKeK38&K/9K/KK%%&&<
                                      2025-01-12 15:11:43 UTC1378INData Raw: 03 00 0a 09 00 1a 19 11 0b 78 01 0d 46 76 2f 37 18 00 76 3f 3c 3c 18 3f 3c 01 2f 17 3c fd 3c 2f 17 3c fd 17 3c 10 d6 3c 00 3f 3c fd 3c 10 fd 3c 3f d6 10 d6 3c 3f d6 3c 87 2e 0e c4 0e fc 0e c4 01 11 12 39 11 12 39 11 12 39 00 11 12 39 11 12 39 01 2e 2e 31 30 b2 21 0d 05 2b 01 07 27 35 37 17 27 07 23 27 21 01 07 27 11 17 11 07 11 37 1f 01 35 33 17 15 23 03 17 07 21 27 37 01 df 1b 2f 25 25 33 25 f3 4a 01 3d ff 00 2f 1c 4b 4b 1c 2f 33 35 f0 35 1a 26 26 fe fb 25 25 01 88 1c 2f c8 26 26 34 26 4b fe df 2f 1c 01 26 4b fd e8 4b 01 33 1d 2f 30 35 f1 35 01 83 25 25 25 25 00 00 05 00 3c 00 00 01 df 02 bc 00 05 00 0b 00 11 00 17 00 1d 00 8e 40 43 1c 16 03 0a 00 04 01 19 18 1a 13 14 12 07 01 01 00 08 0a 00 08 14 10 10 0c 0e 0d 0c 0e 07 1b 1e 02 01 1b 04 15 14 1b 12 1b
                                      Data Ascii: xFv/7v?<<?</<</<<<?<<<?<?<.99999..10!+'57'#'!'753#!'7/%%3%J=/KK/355&&%%/&&4&K/&KK3/055%%%%<@C
                                      2025-01-12 15:11:43 UTC1378INData Raw: 3c d6 17 3c 00 87 2e 0e c4 0e c4 0e c4 0e fc 0e c4 0e c4 0e c4 87 2e 0e c4 0e c4 0e c4 0e fc 0e c4 0e c4 0e c4 00 2e 2e 01 2e 2e 2e 2e 31 30 b2 18 07 05 2b 01 35 37 33 15 03 23 03 35 33 17 1d 02 07 23 35 13 33 13 15 23 27 35 01 1c 98 2b 9d 68 9e 2b 98 98 2b 9e 67 9e 2b 98 01 6c 52 fe 49 fe f9 01 07 49 fe 52 1c 52 fe 49 01 07 fe f9 49 fe 52 00 05 00 3c 00 00 01 df 02 bc 00 04 00 09 00 0f 00 15 00 1b 00 74 40 37 1a 0e 09 17 16 18 0b 0c 0a 11 00 02 01 00 02 01 14 15 11 1b 1c 0d 0c 1b 0a 19 18 1b 1b 16 01 08 07 09 05 13 12 03 03 02 1a 15 10 04 03 00 04 00 5d 0f 0a 0b 01 05 46 76 2f 37 18 00 3f 3c 76 3f 18 01 2f 17 3c fd 17 3c 2f 3c d6 3c 00 3f 3c fd 3c 10 fd 3c 10 fd 3f d6 01 11 12 39 11 12 39 00 11 12 39 11 12 39 00 2e 01 2e 2e 31 30 b2 1c 05 05 2b 01 07 27
                                      Data Ascii: <<........10+573#53#53#'5+h++g+lRIIRRIIR<t@7]Fv/7?<v?/<</<<?<<<?9999...10+'


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:10:11:24
                                      Start date:12/01/2025
                                      Path:C:\Users\user\Desktop\sZSXKXOnBw.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\sZSXKXOnBw.exe"
                                      Imagebase:0x400000
                                      File size:40'714'240 bytes
                                      MD5 hash:7E9BB4D78101740566C64724C56573B9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:10:11:31
                                      Start date:12/01/2025
                                      Path:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\vGgGSjuZNP.exe" sZSXKXOnBw.exe
                                      Imagebase:0x400000
                                      File size:40'714'240 bytes
                                      MD5 hash:7E9BB4D78101740566C64724C56573B9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 42%, ReversingLabs
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:7
                                      Start time:10:11:40
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Users\user\Desktop\vGgGSjuZNP.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\vGgGSjuZNP.exe" "sZSXKXOnBw.exe"
                                      Imagebase:0x400000
                                      File size:40'714'240 bytes
                                      MD5 hash:7E9BB4D78101740566C64724C56573B9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\SysWOW64\netsh.exe
                                      Wow64 process (32bit):true
                                      Commandline:"netsh" int tcp set heuristics disabled
                                      Imagebase:0x1560000
                                      File size:82'432 bytes
                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\SysWOW64\netsh.exe
                                      Wow64 process (32bit):true
                                      Commandline:"netsh" int tcp set global autotuninglevel=normal
                                      Imagebase:0x1560000
                                      File size:82'432 bytes
                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\SysWOW64\netsh.exe
                                      Wow64 process (32bit):true
                                      Commandline:"netsh" int tcp set global congestionprovider=ctcp
                                      Imagebase:0x1560000
                                      File size:82'432 bytes
                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\SysWOW64\netsh.exe
                                      Wow64 process (32bit):true
                                      Commandline:"netsh" int tcp set global ecncapability=default
                                      Imagebase:0x1560000
                                      File size:82'432 bytes
                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\SysWOW64\netsh.exe
                                      Wow64 process (32bit):true
                                      Commandline:"netsh" int tcp set global rss=enabled
                                      Imagebase:0x1560000
                                      File size:82'432 bytes
                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\SysWOW64\netsh.exe
                                      Wow64 process (32bit):true
                                      Commandline:"netsh" int tcp set global chimney=disabled
                                      Imagebase:0x1560000
                                      File size:82'432 bytes
                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\SysWOW64\netsh.exe
                                      Wow64 process (32bit):true
                                      Commandline:"netsh" int tcp set global dca=enabled
                                      Imagebase:0x7ff72bec0000
                                      File size:82'432 bytes
                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\SysWOW64\netsh.exe
                                      Wow64 process (32bit):true
                                      Commandline:"netsh" int tcp set global timestamps=disabled
                                      Imagebase:0x1560000
                                      File size:82'432 bytes
                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\SysWOW64\netsh.exe
                                      Wow64 process (32bit):true
                                      Commandline:"netsh" int tcp set global rsc=enabled
                                      Imagebase:0x1560000
                                      File size:82'432 bytes
                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:10:11:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:23.4%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:66.7%
                                        Total number of Nodes:6
                                        Total number of Limit Nodes:0
                                        execution_graph 273 43d9f9 276 445f26 273->276 275 43d9fe 275->275 277 445f56 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 276->277 278 445f49 276->278 279 445f4d 277->279 278->277 278->279 279->275

                                        Callgraph

                                        • Executed
                                        • Not Executed
                                        • Opacity -> Relevance
                                        • Disassembly available
                                        callgraph 0 Function_0043E603 1 Function_0043F984 0->1 15 Function_0043F7AB 1->15 27 Function_0043F83D 1->27 2 Function_0043F6C8 5 Function_0043C41E 2->5 12 Function_0043E6E0 2->12 3 Function_0043E616 3->0 18 Function_0043E5F0 3->18 22 Function_0043E5B5 3->22 4 Function_0044199C 14 Function_0043B6A7 5->14 5->18 6 Function_0043AE1D 6->3 6->6 8 Function_0043ADDC 6->8 10 Function_0043F822 6->10 6->14 17 Function_0043F86F 6->17 6->18 20 Function_0043FDB0 6->20 21 Function_0043F837 6->21 24 Function_0043F9FB 6->24 6->27 7 Function_0043DF5D 8->1 8->20 23 Function_0043FB34 8->23 8->24 9 Function_0043F663 16 Function_00447B2E 9->16 11 Function_00445F26 13 Function_0043FD60 14->4 14->15 15->2 16->14 16->18 17->15 18->1 19 Function_0043FD30 20->13 20->19 23->15 24->1 26 Function_0043C33E 24->26 25 Function_0043D9F9 25->11 26->9 26->15 27->15

                                        Executed Functions

                                        Function 0043AE1D Relevance: 9.1, APIs: 6, Instructions: 107threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 0043F83D: TlsGetValue.KERNEL32(?,0043AE22), ref: 0043F844
                                          • Part of subcall function 0043F83D: TlsSetValue.KERNEL32(00000000,0043AE22), ref: 0043F865
                                          • Part of subcall function 0043F822: TlsGetValue.KERNEL32(?,0043AE2D,00000000), ref: 0043F82C
                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 0043AE44
                                        • ExitThread.KERNEL32 ref: 0043AE4B
                                        • CreateThread.KERNEL32(00000000,?,0043AE1D,00000000,00000004,00000000), ref: 0043AF03
                                        • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 0043AF13
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 0043AF1E
                                        • __dosmaperr.LIBCMT ref: 0043AF36
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.3619321287.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.3619252984.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.3619367948.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.3619403707.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.3619473671.000000000046D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_vGgGSjuZNP.jbxd
                                        Similarity
                                        • API ID: ThreadValue$ErrorLast$CreateExitResume__dosmaperr
                                        • String ID:
                                        • API String ID: 1421997792-0
                                        • Opcode ID: e5201e6d34afa2921fc95f946d628e313e99d21ffcb5b2ebc4f54ad5e8e98abb
                                        • Instruction ID: 8f8596a89a85ecec8b4a3dc895ae1eaea928c96a511ba3fcb1bd314a5cbd4c28
                                        • Opcode Fuzzy Hash: e5201e6d34afa2921fc95f946d628e313e99d21ffcb5b2ebc4f54ad5e8e98abb
                                        • Instruction Fuzzy Hash: 173122B1841300AFD718BF729D4A95F7BA4EF4C329F20563FF554922A2DB78C8058A5E
                                        Function 0043ADDC Relevance: 4.5, APIs: 3, Instructions: 32threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 50 43addc-43adf8 call 43df18 call 43f9fb 57 43adb1-43adbb call 43f984 50->57 58 43ad9c-43ada9 call 43fdb0 50->58 63 43add3-43add5 ExitThread 57->63 64 43adbd-43adc3 57->64 58->57 65 43adab 58->65 66 43adc5-43adc6 CloseHandle 64->66 67 43adcc-43add2 call 43fb34 64->67 65->57 66->67 67->63
                                        APIs
                                          • Part of subcall function 0043F9FB: __amsg_exit.LIBCMT ref: 0043FA09
                                        • CloseHandle.KERNEL32(?), ref: 0043ADC6
                                        • __freeptd.LIBCMT ref: 0043ADCD
                                        • ExitThread.KERNEL32 ref: 0043ADD5
                                          • Part of subcall function 0043FDB0: __FindPESection.LIBCMT ref: 0043FE09
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.3619321287.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.3619252984.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.3619367948.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.3619403707.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.3619473671.000000000046D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_vGgGSjuZNP.jbxd
                                        Similarity
                                        • API ID: CloseExitFindHandleSectionThread__amsg_exit__freeptd
                                        • String ID:
                                        • API String ID: 1262231458-0
                                        • Opcode ID: b23d0af45d41ee54e17b61858cfc5b22db630a960199009171090f466a26fffd
                                        • Instruction ID: 86bd6b700fd1742491bf267ee1f7a06fa6d34f24a60a48abfe277de77b901c7b
                                        • Opcode Fuzzy Hash: b23d0af45d41ee54e17b61858cfc5b22db630a960199009171090f466a26fffd
                                        • Instruction Fuzzy Hash: 8DF0BE31941601EBD7146BA49A0DB6E3722AF0D717F64212BF242855E2CBACC809865E

                                        Non-executed Functions

                                        Function 0043F7AB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 70 43f7ab-43f7bc TlsGetValue 71 43f7df-43f7ee GetModuleHandleA 70->71 72 43f7be-43f7c6 70->72 73 43f813-43f818 71->73 74 43f7f0-43f7f7 call 43f6c8 71->74 72->71 75 43f7c8-43f7d5 TlsGetValue 72->75 74->73 80 43f7f9-43f7ff GetProcAddress 74->80 75->71 79 43f7d7-43f7dd 75->79 81 43f805-43f807 79->81 80->81 81->73 82 43f809-43f80f 81->82 82->73
                                        APIs
                                        • TlsGetValue.KERNEL32(00000000,0043F85B,?,0043AE22), ref: 0043F7B8
                                        • TlsGetValue.KERNEL32(00000005,?,0043AE22), ref: 0043F7CF
                                        • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,0043AE22), ref: 0043F7E4
                                        • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0043F7FF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.3619321287.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000002.00000002.3619252984.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.3619367948.0000000000452000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.3619403707.000000000046B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000002.00000002.3619473671.000000000046D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_400000_vGgGSjuZNP.jbxd
                                        Similarity
                                        • API ID: Value$AddressHandleModuleProc
                                        • String ID: DecodePointer$KERNEL32.DLL
                                        • API String ID: 1929421221-629428536
                                        • Opcode ID: 88f913852e08c1575371cd1b3d4c95e2569a501468fffc6810ca2a17cca08315
                                        • Instruction ID: 245ecc31fb8c1607d4a4382ea1dab8f694e76174c75a8ccf15531d552fbd5d54
                                        • Opcode Fuzzy Hash: 88f913852e08c1575371cd1b3d4c95e2569a501468fffc6810ca2a17cca08315
                                        • Instruction Fuzzy Hash: DCF02B30A002139B86296B35EE00A5F3AD4DF09751F155537FC14D23F2EB68CD468A9D

                                        Non-executed Functions

                                        Function 02E13008 Relevance: .2, Instructions: 197COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000003.1991964893.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp, Offset: 02E0D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_3_2e0d000_vGgGSjuZNP.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2dc05e82adc5244261f3c1bd208858d723e352e71bf836d69692e42c3cdb5b3e
                                        • Instruction ID: dc8371142d06f5dea82878b38401ca090b31b785f55b7cdf8bd8c07c7235d5c7
                                        • Opcode Fuzzy Hash: 2dc05e82adc5244261f3c1bd208858d723e352e71bf836d69692e42c3cdb5b3e
                                        • Instruction Fuzzy Hash: 0E716EA541FBD79FE7035B304C606857FB0AEA722470E09DAC1C18F1A3E159859EC7A3