Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IAdjMfB2A5.exe

Overview

General Information

Sample name:IAdjMfB2A5.exe
renamed because original name is a hash value
Original sample name:f126b1c0b4ff973d9618b7287d011b61731c2b0e5e9960c72f5ef444288aa8dc.exe
Analysis ID:1557197
MD5:a8bd5b655845ba8a23a38abfd7e1bb03
SHA1:90b245be80f5beb8b7b0e50bf910e1b4bff1f1cf
SHA256:f126b1c0b4ff973d9618b7287d011b61731c2b0e5e9960c72f5ef444288aa8dc
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

Process Tree

  • System is w10x64
  • IAdjMfB2A5.exe (PID: 4324 cmdline: "C:\Users\user\Desktop\IAdjMfB2A5.exe" MD5: A8BD5B655845BA8A23A38ABFD7E1BB03)
    • conhost.exe (PID: 1988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3680 cmdline: C:\Windows\system32\cmd.exe /c taskkill /IM EpicGamesLauncher.exe /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 6024 cmdline: taskkill /IM EpicGamesLauncher.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 6152 cmdline: C:\Windows\system32\cmd.exe /c taskkill /IM FortniteClient-Win64-Shipping_BE.exe /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 2828 cmdline: taskkill /IM FortniteClient-Win64-Shipping_BE.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 5948 cmdline: C:\Windows\system32\cmd.exe /c taskkill /IM FortniteClient-Win64-Shipping.exe /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 2020 cmdline: taskkill /IM FortniteClient-Win64-Shipping.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 5812 cmdline: C:\Windows\system32\cmd.exe /c taskkill /IM x64dbg.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 5836 cmdline: taskkill /IM x64dbg.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 5664 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 5396 cmdline: C:\Windows\system32\cmd.exe /c start C:\Windows\msedge.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • msedge.exe (PID: 764 cmdline: C:\Windows\msedge.exe MD5: 4738E3496A3EFE5F19C57B764EB5BA9B)
        • WerFault.exe (PID: 320 cmdline: C:\Windows\system32\WerFault.exe -u -p 764 -s 1576 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • cmd.exe (PID: 6592 cmdline: C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\IAdjMfB2A5.exe" MD5 | find /i /v "md5" | find /i /v "certutil" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • certutil.exe (PID: 6396 cmdline: certutil -hashfile "C:\Users\user\Desktop\IAdjMfB2A5.exe" MD5 MD5: F17616EC0522FC5633151F7CAA278CAA)
      • find.exe (PID: 6160 cmdline: find /i /v "md5" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
      • find.exe (PID: 2380 cmdline: find /i /v "certutil" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
    • cmd.exe (PID: 6700 cmdline: C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 6584 cmdline: cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 3680 cmdline: timeout /t 5 MD5: 100065E21CFBBDE57CBA2838921F84D6)
    • WerFault.exe (PID: 6336 cmdline: C:\Windows\system32\WerFault.exe -u -p 4324 -s 844 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.84.199.152"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
IAdjMfB2A5.exeJoeSecurity_XWormYara detected XWormJoe Security
    IAdjMfB2A5.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xaebba:$s6: VirtualBox
    • 0xaeb18:$s8: Win32_ComputerSystem
    • 0xb126d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xb130a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xb141f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xb0312:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\msedge.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Windows\msedge.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        C:\Windows\msedge.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xedba:$s6: VirtualBox
        • 0xed18:$s8: Win32_ComputerSystem
        • 0x1146d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x1150a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x1161f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x10512:$cnc4: POST / HTTP/1.1

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        0000000D.00000000.2036559031.0000000000A82000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          0000000D.00000000.2036559031.0000000000A82000.00000002.00000001.01000000.00000004.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xebba:$s6: VirtualBox
          • 0xeb18:$s8: Win32_ComputerSystem
          • 0x1126d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x1130a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x1141f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x10312:$cnc4: POST / HTTP/1.1
          0000000D.00000002.2264433685.0000000002D4C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.2025716296.00007FF674462000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.2025716296.00007FF674462000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                Click to see the 6 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xedba:$s6: VirtualBox
                    • 0xed18:$s8: Win32_ComputerSystem
                    • 0x1146d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x1150a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x1161f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x10512:$cnc4: POST / HTTP/1.1
                    0.2.IAdjMfB2A5.exe.7ff674462000.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      0.2.IAdjMfB2A5.exe.7ff674462000.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0xcfba:$s6: VirtualBox
                      • 0xcf18:$s8: Win32_ComputerSystem
                      • 0xf66d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0xf70a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0xf81f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0xe712:$cnc4: POST / HTTP/1.1
                      Click to see the 12 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Windows\msedge.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Found malware configuration
                      Source: 0000000D.00000002.2264433685.0000000002D4C000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["45.84.199.152"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Windows\msedge.exeReversingLabs: Detection: 87%
                      Multi AV Scanner detection for submitted file
                      Source: IAdjMfB2A5.exeReversingLabs: Detection: 57%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Windows\msedge.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: IAdjMfB2A5.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpackString decryptor: 45.84.199.152
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpackString decryptor: 7000
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpackString decryptor: <123456789>
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpackString decryptor: <Xwormmm>
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpackString decryptor: XWorm V5.2
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpackString decryptor: USB.exe
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpackString decryptor: %Public%
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpackString decryptor: Msedge.exe
                      Source: IAdjMfB2A5.exe, 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_89452862-2
                      Source: unknownHTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.5:49708 version: TLS 1.2
                      Source: IAdjMfB2A5.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Xml.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.ni.pdbRSDS source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.pdbh source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Configuration.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Configuration.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Core.pdbH source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Configuration.pdb`zX source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Xml.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: mscorlib.pdbP<J source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS# source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Core.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: mscorlib.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: C:\Users\Admin\Downloads\Permanent Spoofer\Permanent Spoofer\x64\Release\Permanent Spoofer.pdb source: IAdjMfB2A5.exe
                      Source: Binary string: System.Management.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: mscorlib.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Management.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Core.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WERFB01.tmp.dmp.26.dr

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 45.84.199.152
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.msedge.exe.a80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.2025716296.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Windows\msedge.exe, type: DROPPED
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 104.26.0.5 104.26.0.5
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: keyauth.win
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: msedge.exe, 0000000D.00000002.2264433685.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000002.2264433685.0000000002E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: IAdjMfB2A5.exe, msedge.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: msedge.exe, 0000000D.00000002.2264433685.0000000002DE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Amcache.hve.26.drString found in binary or memory: http://upx.sf.net
                      Source: IAdjMfB2A5.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                      Source: IAdjMfB2A5.exe, 00000000.00000002.2069048420.000002351B6AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.2/
                      Source: IAdjMfB2A5.exe, 00000000.00000002.2069048420.000002351B6AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.2/em5
                      Source: IAdjMfB2A5.exe, 00000000.00000002.2069048420.000002351B6AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.2/emc
                      Source: IAdjMfB2A5.exe, 00000000.00000002.2069048420.000002351B6AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.2/umL
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownHTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.5:49708 version: TLS 1.2

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: IAdjMfB2A5.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 13.0.msedge.exe.a80000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.IAdjMfB2A5.exe.7ff6743c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.IAdjMfB2A5.exe.7ff6743c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0000000D.00000000.2036559031.0000000000A82000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000000.2025716296.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Windows\msedge.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeFile created: C:\Windows\msedge.exeJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeCode function: 0_2_00007FF6743C10000_2_00007FF6743C1000
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeCode function: 0_2_00007FF6743D55500_2_00007FF6743D5550
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeCode function: 0_2_00007FF67446580B0_2_00007FF67446580B
                      Source: C:\Windows\msedge.exeCode function: 13_2_00007FF848E1237F13_2_00007FF848E1237F
                      Source: C:\Windows\msedge.exeCode function: 13_2_00007FF848E116FF13_2_00007FF848E116FF
                      Source: C:\Windows\msedge.exeCode function: 13_2_00007FF848E160DF13_2_00007FF848E160DF
                      Source: C:\Windows\msedge.exeCode function: 13_2_00007FF848E16E8F13_2_00007FF848E16E8F
                      Source: C:\Windows\msedge.exeCode function: 13_2_00007FF848E10E9013_2_00007FF848E10E90
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4324 -s 844
                      Source: IAdjMfB2A5.exeBinary or memory string: OriginalFilename vs IAdjMfB2A5.exe
                      Source: IAdjMfB2A5.exe, 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemsedge.exe@ vs IAdjMfB2A5.exe
                      Source: IAdjMfB2A5.exe, 00000000.00000000.2025716296.00007FF674462000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemsedge.exe@ vs IAdjMfB2A5.exe
                      Source: IAdjMfB2A5.exeBinary or memory string: OriginalFilenamemsedge.exe@ vs IAdjMfB2A5.exe
                      Source: IAdjMfB2A5.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 13.0.msedge.exe.a80000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.IAdjMfB2A5.exe.7ff6743c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.IAdjMfB2A5.exe.7ff6743c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0000000D.00000000.2036559031.0000000000A82000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000000.2025716296.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Windows\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: msedge.exe.0.dr, K3EtGcFLetA04ODNdK5g4Tlc3zyYrVKESf.csCryptographic APIs: 'TransformFinalBlock'
                      Source: msedge.exe.0.dr, q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: msedge.exe.0.dr, q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, K3EtGcFLetA04ODNdK5g4Tlc3zyYrVKESf.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, K3EtGcFLetA04ODNdK5g4Tlc3zyYrVKESf.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, vgWlVAySzP7O3THtCP5fBBa6AikzpVbLuyqaYt6a7HYMS2pskOYRhMkSwgK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, vgWlVAySzP7O3THtCP5fBBa6AikzpVbLuyqaYt6a7HYMS2pskOYRhMkSwgK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: msedge.exe.0.dr, vgWlVAySzP7O3THtCP5fBBa6AikzpVbLuyqaYt6a7HYMS2pskOYRhMkSwgK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: msedge.exe.0.dr, vgWlVAySzP7O3THtCP5fBBa6AikzpVbLuyqaYt6a7HYMS2pskOYRhMkSwgK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, vgWlVAySzP7O3THtCP5fBBa6AikzpVbLuyqaYt6a7HYMS2pskOYRhMkSwgK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, vgWlVAySzP7O3THtCP5fBBa6AikzpVbLuyqaYt6a7HYMS2pskOYRhMkSwgK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@41/6@2/3
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_03
                      Source: C:\Windows\msedge.exeMutant created: NULL
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
                      Source: C:\Windows\msedge.exeMutant created: \Sessions\1\BaseNamedObjects\dJyrUNHFFGRQOvwi
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess764
                      Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\1926a5e6-7e06-4447-841d-3213527583faJump to behavior
                      Source: IAdjMfB2A5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: IAdjMfB2A5.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 46.24%
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;EpicGamesLauncher.exe&quot;)
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;FortniteClient-Win64-Shipping_BE.exe&quot;)
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;FortniteClient-Win64-Shipping.exe&quot;)
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;x64dbg.exe&quot;)
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: IAdjMfB2A5.exeReversingLabs: Detection: 57%
                      Source: IAdjMfB2A5.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory
                      Source: unknownProcess created: C:\Users\user\Desktop\IAdjMfB2A5.exe "C:\Users\user\Desktop\IAdjMfB2A5.exe"
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM EpicGamesLauncher.exe /F
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM EpicGamesLauncher.exe /F
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM FortniteClient-Win64-Shipping_BE.exe /F
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM FortniteClient-Win64-Shipping_BE.exe /F
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM FortniteClient-Win64-Shipping.exe /F
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM FortniteClient-Win64-Shipping.exe /F
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM x64dbg.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM x64dbg.exe
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\msedge.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\msedge.exe C:\Windows\msedge.exe
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\IAdjMfB2A5.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\IAdjMfB2A5.exe" MD5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "md5"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "certutil"
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4324 -s 844
                      Source: C:\Windows\msedge.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 764 -s 1576
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM EpicGamesLauncher.exe /FJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM FortniteClient-Win64-Shipping_BE.exe /FJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM FortniteClient-Win64-Shipping.exe /FJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM x64dbg.exeJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\msedge.exeJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\IAdjMfB2A5.exe" MD5 | find /i /v "md5" | find /i /v "certutil"Jump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM EpicGamesLauncher.exe /FJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM FortniteClient-Win64-Shipping_BE.exe /FJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM FortniteClient-Win64-Shipping.exe /FJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM x64dbg.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\msedge.exe C:\Windows\msedge.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\IAdjMfB2A5.exe" MD5 Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "md5" Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "certutil"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5Jump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: msvcp140.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: vcruntime140_1.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: vcruntime140_1.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\msedge.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: certcli.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: cryptui.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: ntdsapi.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: certca.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: certca.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: logoncli.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: dsrole.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\certutil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                      Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                      Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\msedge.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\msedge.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: IAdjMfB2A5.exeStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: IAdjMfB2A5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: IAdjMfB2A5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: IAdjMfB2A5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: IAdjMfB2A5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: IAdjMfB2A5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: IAdjMfB2A5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: IAdjMfB2A5.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: IAdjMfB2A5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Xml.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.ni.pdbRSDS source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.pdbh source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Configuration.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Configuration.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Core.pdbH source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Configuration.pdb`zX source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Xml.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: mscorlib.pdbP<J source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS# source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Core.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: mscorlib.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: C:\Users\Admin\Downloads\Permanent Spoofer\Permanent Spoofer\x64\Release\Permanent Spoofer.pdb source: IAdjMfB2A5.exe
                      Source: Binary string: System.Management.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: mscorlib.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Management.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Core.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.ni.pdb source: WERFB01.tmp.dmp.26.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WERFB01.tmp.dmp.26.dr
                      Source: IAdjMfB2A5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: IAdjMfB2A5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: IAdjMfB2A5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: IAdjMfB2A5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: IAdjMfB2A5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: msedge.exe.0.dr, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK.JbOHglQ9dsuk0asel3ZQBx8t0XxauzWHZ0iVgriXmoLXTDOAfogfZ6J0VaL,fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK.urjmjtyXMjjqUuxmGSX8DvnJt7L5rn2UYw7FOEIz4Jj7DgbN4uYId15OpEz,fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK._0QXDDIcMePIpaFmwco6GJwFQCWiCYGoAiaBnMfi9prcNtM3UVTo0vyL62gT,fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK.EoxDFBiSVCATpnUnykM8g2wIgGIPzE9FNAOhdX5GYerIPWFhfs5DtJ9oVmv,q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.nsViMGxwMKDNjFQTFSDcQ1aCxmSeRXrbca()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: msedge.exe.0.dr, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Q9h4v1xukw8IN2MqhoT5B0fpc2nvnaynMN[2],q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.zpUDfbcYJISXjCYnOL5NqR99uLjNRA1rQM(Convert.FromBase64String(Q9h4v1xukw8IN2MqhoT5B0fpc2nvnaynMN[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: msedge.exe.0.dr, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Q9h4v1xukw8IN2MqhoT5B0fpc2nvnaynMN[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK.JbOHglQ9dsuk0asel3ZQBx8t0XxauzWHZ0iVgriXmoLXTDOAfogfZ6J0VaL,fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK.urjmjtyXMjjqUuxmGSX8DvnJt7L5rn2UYw7FOEIz4Jj7DgbN4uYId15OpEz,fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK._0QXDDIcMePIpaFmwco6GJwFQCWiCYGoAiaBnMfi9prcNtM3UVTo0vyL62gT,fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK.EoxDFBiSVCATpnUnykM8g2wIgGIPzE9FNAOhdX5GYerIPWFhfs5DtJ9oVmv,q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.nsViMGxwMKDNjFQTFSDcQ1aCxmSeRXrbca()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Q9h4v1xukw8IN2MqhoT5B0fpc2nvnaynMN[2],q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.zpUDfbcYJISXjCYnOL5NqR99uLjNRA1rQM(Convert.FromBase64String(Q9h4v1xukw8IN2MqhoT5B0fpc2nvnaynMN[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Q9h4v1xukw8IN2MqhoT5B0fpc2nvnaynMN[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK.JbOHglQ9dsuk0asel3ZQBx8t0XxauzWHZ0iVgriXmoLXTDOAfogfZ6J0VaL,fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK.urjmjtyXMjjqUuxmGSX8DvnJt7L5rn2UYw7FOEIz4Jj7DgbN4uYId15OpEz,fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK._0QXDDIcMePIpaFmwco6GJwFQCWiCYGoAiaBnMfi9prcNtM3UVTo0vyL62gT,fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK.EoxDFBiSVCATpnUnykM8g2wIgGIPzE9FNAOhdX5GYerIPWFhfs5DtJ9oVmv,q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.nsViMGxwMKDNjFQTFSDcQ1aCxmSeRXrbca()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Q9h4v1xukw8IN2MqhoT5B0fpc2nvnaynMN[2],q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.zpUDfbcYJISXjCYnOL5NqR99uLjNRA1rQM(Convert.FromBase64String(Q9h4v1xukw8IN2MqhoT5B0fpc2nvnaynMN[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Q9h4v1xukw8IN2MqhoT5B0fpc2nvnaynMN[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: msedge.exe.0.dr, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: DGOhZm2kY6a41lNzUAO7Jv94x7DBFG4HFfb93sGOOZ9YfaI44JdpDbf5KVCxlZLQzdkK7PL4P9rrVFNN7gXvyynX3xNK System.AppDomain.Load(byte[])
                      Source: msedge.exe.0.dr, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: VsewEVB79ECwVBBn7vM70WvdPXt5PRmB8AszIf2GVFGGTRZZRPSX4hOcf5KWfPj745nBlBaDC6PvxNpk38Omtf4qnu0X System.AppDomain.Load(byte[])
                      Source: msedge.exe.0.dr, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: VsewEVB79ECwVBBn7vM70WvdPXt5PRmB8AszIf2GVFGGTRZZRPSX4hOcf5KWfPj745nBlBaDC6PvxNpk38Omtf4qnu0X
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: DGOhZm2kY6a41lNzUAO7Jv94x7DBFG4HFfb93sGOOZ9YfaI44JdpDbf5KVCxlZLQzdkK7PL4P9rrVFNN7gXvyynX3xNK System.AppDomain.Load(byte[])
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: VsewEVB79ECwVBBn7vM70WvdPXt5PRmB8AszIf2GVFGGTRZZRPSX4hOcf5KWfPj745nBlBaDC6PvxNpk38Omtf4qnu0X System.AppDomain.Load(byte[])
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: VsewEVB79ECwVBBn7vM70WvdPXt5PRmB8AszIf2GVFGGTRZZRPSX4hOcf5KWfPj745nBlBaDC6PvxNpk38Omtf4qnu0X
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: DGOhZm2kY6a41lNzUAO7Jv94x7DBFG4HFfb93sGOOZ9YfaI44JdpDbf5KVCxlZLQzdkK7PL4P9rrVFNN7gXvyynX3xNK System.AppDomain.Load(byte[])
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: VsewEVB79ECwVBBn7vM70WvdPXt5PRmB8AszIf2GVFGGTRZZRPSX4hOcf5KWfPj745nBlBaDC6PvxNpk38Omtf4qnu0X System.AppDomain.Load(byte[])
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.cs.Net Code: VsewEVB79ECwVBBn7vM70WvdPXt5PRmB8AszIf2GVFGGTRZZRPSX4hOcf5KWfPj745nBlBaDC6PvxNpk38Omtf4qnu0X
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeCode function: 0_2_00007FF674466AF6 push ss; ret 0_2_00007FF674466C22
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeCode function: 0_2_00007FF674462682 push es; retf 0000h0_2_00007FF674462686
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeCode function: 0_2_00007FF674466C36 push ds; ret 0_2_00007FF674466C3A
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeCode function: 0_2_00007FF67446863F push ebp; ret 0_2_00007FF67446885A
                      Source: C:\Windows\msedge.exeCode function: 13_2_00007FF848E12B23 push esi; iretd 13_2_00007FF848E12B22
                      Source: C:\Windows\msedge.exeCode function: 13_2_00007FF848E12A9D push esi; iretd 13_2_00007FF848E12B22
                      Source: msedge.exe.0.dr, fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK.csHigh entropy of concatenated method names: 'DPhQWJD5QH2AzOs5GCIYUUZPuvJXhEUeY4bw80lQKW0mObYjUqV', 'mmPsJknc0rusxKZKeoibNNOORCVDsB0F6I7Kt7lOQ6Az5LtBHTB', '_5Up93SMffx1to9iPBZPUyd0O0A3539oHRFZxzyV0r1Xw6Hr5uQx', 'UdFaYg9FvK9X7hceozvN1ZRoGJNMICF5Ck3kLRs2S3Upx653V9p'
                      Source: msedge.exe.0.dr, llh7f0sYaLxi6yXrfPaBFl6UJCVXBttiOH.csHigh entropy of concatenated method names: 'PfAjvP7x5wLaIINw0FvZiN16SipvlSBDa1', 'QDHD5swMYFyK3NYnES67tyzqyWwmatDRYr', 'lvzcn3KcfH0l7qGq41a', 'OcDBnUMjjag', '_2YhPpzzAPV4', 'XRr0zdN2GI1', 'Vh8GEsuwkJo', 'FOn8clLHeys', 'MZ696AQzbZM', '_2krcbn3HX0V'
                      Source: msedge.exe.0.dr, K6WhBlaIGoubgiXm85xVKg90d70tAEzArIMwc4ieBc.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_9fKNSiW6kTLZsS9m9hTBpMXqVUeLounTntT2oDcGPsroWtaNHqk', '_3lGNtbZIh9mOKm8hZL3PROhpvTKG7FBFK3jTyBpgWAeOGsNZwXF', 'yDsNoXkyshzAxL02mxyiiJZeAqxMU5UJvRm7CFqWfZuu1UA4JDq', 'bC20ECQFeaUKjjpbYj7JzNUbABKxPmblGtSxnrd8fJWD1Y3cj5h'
                      Source: msedge.exe.0.dr, vgWlVAySzP7O3THtCP5fBBa6AikzpVbLuyqaYt6a7HYMS2pskOYRhMkSwgK.csHigh entropy of concatenated method names: 'MCdp7Zp68uIqZgPdX42mybfi1joiJMkaZ23ZgmN5VJh1BvsdCozsjkSW29l', '_3rdwbmqIu9p4butVFLN998AEtSxqG5GyXyeHWmVrvATPEsef1ckjuBsMEjX', 'cdvBzfV4v548QpITVIDo3ChkOsJ4jdpejK33mesrb6RjAbUuDl2bK7NfJxy', 'RIW6O7j7AkgymKbW28KXD8vUL2un5yEvCwtIetfquQcPfrVlzznFLeTwvfc', '_5vdcV98mboiVc359mw22qkNRhmE7fzbwlve96tQe4gUYL429YdiPS4kTxpZ', '_8FI8dtlQJr77FXsF0sl5Ce3GIZ1Zxla8wPtFcMubB2Gbg8WVNGck9jBSCMA', 'ktopJNH9Fp8JYB3f7NXEh6P7NtVmGLCyXuwh3PB9IICJdhN7qTB5xddWXeL', 'KD8WEl8KFcAh2LBnRBYUgT3SXZN9d4BbqVxNcLyXYLx8BHQWOXXO6yVShtG', 'dBcxQ1vZlmaJY331k9mXDSJYgg1Nj0OpeTqxPr0xtNN6iSYzZemHFNXMV1n', 'twXtoURXiH5dZKAP01ZmZo0jem0dhWFX1C70v8sqzgsVCQgcrvNKODdhOwB'
                      Source: msedge.exe.0.dr, BvR5v2WPH73iyYsHaICgMTE43JF2DmBfOVTs9UMyEfyeq0zbjewa6QcG1ac.csHigh entropy of concatenated method names: 'xWAPJ85EEw6cputoAkYJxOyo9g9JdYvi66fcjj5xRj1TV6QUumbN7Ry4A0G', 'MYGsHkoP4vija1zhSZPQnAFxn2wkOckwtcNqTzKxN89HcWXjG3QG5ipyznc', 'zgbbb3qQFs7CAYfCHvNiqaNU75in3cmgbvTtc7mnt33lBlDLb5VHdtsCvN6', 'WRXGPidRBVP5p8bSZBmVZLZdYqFhdwtuQpVVq0GPFoQywosgY2QNGft39AW', 'zNaR3azFSwOWB5ydKLB8BQQuC2cogNCCNqRPi8H2hd2JZUn6bgVf138w2b1', 'LSJ5RzuDfa4gjH20qPxhQdIpf1N8Ib5TRj6QqDOT3oqansbBYFhav84Cgv1', 'qnR1OGpcUdIunKF66SgSerFLDxRzhEYESHVXkQlOxNaAUS1JEmrrxYq4lvJ', 'BwQgFYCK4gQM8LcnwELGBO4UPbz0ERGJfPMAy8w4RHHbqOiJzEIliFKv2e2', 'whtFbWjvYHHHhmbx84hSZ5gM8nrNtmH3yKVn2ISRLsaWba66Fe3FkCUR7Hg', '_1KuqfXFITQeYyvd01e1SG158xpK6JAbVWt8bS05rWf7JZRov7pC31N1VeFh'
                      Source: msedge.exe.0.dr, K3EtGcFLetA04ODNdK5g4Tlc3zyYrVKESf.csHigh entropy of concatenated method names: 'DFls8uDkadRWFVBNw8WktDBnRfPsv3rWzJ', 'nHTtaLtmRlob1IlRbBSDxI1iXOjfx5x2Zx0OmCx9JGz5HE9Fah64Ldy4kBDXyJiNUJ0ac', 'PYoPnnHBtvWp1kpYmUtpCYAN7Td7NgBR2zzEk9BMqWKiNbVbdpp3UmT3UewXb9tiyIZMb', 'agCW5GDgWjXEGFvQhM4Ixonr0NbtRkYRfQXZSRK1jzpGcXxVzcKEXaBEVk6CyooiuVcDu', 'cvvuUjaoHcVpvTqcIlcXpawOgR79ftSYRg2yuaBrY2WrV93sQp9kGAOs2zcKpPJK51CKp'
                      Source: msedge.exe.0.dr, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.csHigh entropy of concatenated method names: '_4I7FHtah9ZHtwnhrBn7BgWR8enKypo9kuVRdOYdguDegM5e6St4ccacTNV9V1c7ShoVaNudWwx2ZZlUgv4uyee63oT4x', 'DGOhZm2kY6a41lNzUAO7Jv94x7DBFG4HFfb93sGOOZ9YfaI44JdpDbf5KVCxlZLQzdkK7PL4P9rrVFNN7gXvyynX3xNK', 'dcTkVmnN5jD1wd31jQjqfIZYwTsNmS93DU58HWrA3FT93LgA4Gs7bU8AVZw9QXofTSqVDIRNfhPQBH9D12JcJg2Onsdl', 'FlnbQ5Y4dlNRbFi0auRh1Xvv8d0QNwTQR85qt1hzV58cbrawr08e88UyuNkNwB8pLDLGZ0Qhxv2BGMN1fO1QO3N5ZhU1', '_74fVxMYuNqHfDzB13sg6C5ITRxn4xexPJrPX7V81gl1y81BL6AuzqB2c4xlzkdUHb40KYimUrpCUlF7rnCqQYtACF3Ji', '_7tGmT2Wg5h5kkF4vDiAE6BH9mrhcq0HBgwRakuJ2kgL9afPXD4hAOMyrueJemC5846ISkVXxivZBp9Mi7EaPqZqXWnGD', '_7JLXlGlwkSuct6Kp5eHUfAAmUJxQuLohzxYVcm96E7gnb1Lnhun7rmagRrLGQIsu8CxcUjftCcVFvU0rDNXBi4708Mta', 'L1ha6jStyHqTtSmY0TQL0RPNRzx5L0Aps85U3uJjO6Av4yaAboT0IVCp0AA9QiV92XIssNazhsrf4rRcXFfJXROwBwnF', 'TGomXW7PpfX7coWdD02EZkzbdu85mq6HmGne9rW3kJDR7Wop9jGYBCO9DRf10DGLvbl9KvqlSQ57EGwmxLdLaw2HHCAc', 'zIt5aLiqzmQYh43rmy2baovzJo9hCPyTeXihOIa1yiau43zmJ0iIyjFPjz6QtaVTKDZTTDg6s18SjCBjUOlCRb8mZ7Hj'
                      Source: msedge.exe.0.dr, z0ejMO0H72Lgpu4KAimc0W6XopbPWmkq6t.csHigh entropy of concatenated method names: 'ikfRuUei3gZqMOIcVl5ucGZnLO1KieMb2r', 'Xy20OXrOKuK2CWGzmRrDcrS5PUHtqBiZBP', 'kMQKD36wRFbYUvcd1jhgNXxg2AaNaTf2e5', 'ywaCHtqx4FrhV8zelZjA2rcATGscWHpmf7', 'wxg5bV6r7EkR6gbbzleGXxb5S94ORbEpVO', 'BqOssfaMgvqjPqGCkCgHWNCBdi3MpeFd3i', 'DA2s8ELlaW2Rxgyv35ISpZAcmYy1H1yCPu', 'BGbfuIOFRXuV4w6oE17Jt9s87xKxVu20re', 'IeXIFqYGYs2E5rC8HZZDOpgkngoZuyS3sW', '_8YiIOLrg6qMiShgij0tPyI1SQ41IznKNTK'
                      Source: msedge.exe.0.dr, q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.csHigh entropy of concatenated method names: 'UzJlsKhqZj8jO29IZ4HiWvfNK1L8hjUSt3', 'APgyezhcHTrtvaXJHHFg7ynSvUZ8CZqWeZ', 's4nAyMN3s82zj5I6ZWhX4AVZfy0P1wXPuC', 'Tdf8ibS05oGw5qvUMQdcbsxEjsBFSvyJDv', 'FcO6LKpu7ljOfDRDMksS3S9b7eL7HMnxlO', 'y4XfJOuqzs60tQfr7P87Vjy6ztHDodDk9y', 'xZm29jVp2tZThckkUtqfTEhMwv3wSEGwSz', '_66LBAj82u6thVVKFs1srk1oVo7ZFavKRtR', 'HPdVNxIjLXJ0wO2jp7CfZVmQYokzEtGPPe', 'VVvvKG2lnskD3hjyThQf0zirWxxHp27vfz'
                      Source: msedge.exe.0.dr, vzNrDBdAQYZ7dTTheTLxGK4cw4WdNxOiqz.csHigh entropy of concatenated method names: 'GIuD7Apa0GbB9885TWo6NIvqkZu5Ogg7QS', 'oc2J6qnUjBHgZeqPmgzsBwuI8SiCh3GnuJ', 'FKGhoNNCnkTAL8hWl4TJN5Fth1vRFxegHk', 'V9DqPlsHPnIRk6U8cl4pSeOVs1VuanK3EN', 'rKKgMSHwysVmPDOuWXx7huykclWL8JMxySHhb7RRDZDPEmyoHIRJLOzT63UwDuDI5WOL5', 'y523m5NYA0NorLhvhQNwdMbTNqKC01OVX4pW3FkiRADbhkx3SMqt1j1A0wpyeLYKP6Q1C', 'JAgrqIoz7cYZlP6PsJWqlOEq2F6j6zJG2GrYVpH0Y3LC3moJk7sY9JK1hAGqrrPujFWHZ', 'CI3tgTWTbLa19T1PlDjBab35adeNaHaNuCTws53DzdFxiq5g0dlgEL1EvBe9B0YsOwVBx', 'XphGSTIWdYBcyc2aLeenOJLuZy2OY8iCchPIHRKFjt5qyjXy1aAwD8wosyssHgKLmTfPg', 'Im8fgnSLfrxxiRoPBm2eyn6e9qY810BLWmL5zLyTYux92Pa6rhNuSyD1AYnfD3zramnP0'
                      Source: msedge.exe.0.dr, 6M7XeKP2IA69yV7J0faCjVkgqAaozD2eyJ.csHigh entropy of concatenated method names: '_2vEvgeGrHTniH7RRVuhNyiVkAYrQ6YLB1s', 'xzAqkEHwHXToJuORnFs5PSuwXHotfkQf4Ioc6', 'Y2vPj8ZvUvOFnNz7xqdqEI3bGzd0NSbKtYnLp', 'M3Vco5RvnJO5YoUPzloxreC4cKvmCD0aKpnuG', '_5zHi8xTbXMp5bSc30l8Mz2egbPdG37iaq4FfY'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK.csHigh entropy of concatenated method names: 'DPhQWJD5QH2AzOs5GCIYUUZPuvJXhEUeY4bw80lQKW0mObYjUqV', 'mmPsJknc0rusxKZKeoibNNOORCVDsB0F6I7Kt7lOQ6Az5LtBHTB', '_5Up93SMffx1to9iPBZPUyd0O0A3539oHRFZxzyV0r1Xw6Hr5uQx', 'UdFaYg9FvK9X7hceozvN1ZRoGJNMICF5Ck3kLRs2S3Upx653V9p'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, llh7f0sYaLxi6yXrfPaBFl6UJCVXBttiOH.csHigh entropy of concatenated method names: 'PfAjvP7x5wLaIINw0FvZiN16SipvlSBDa1', 'QDHD5swMYFyK3NYnES67tyzqyWwmatDRYr', 'lvzcn3KcfH0l7qGq41a', 'OcDBnUMjjag', '_2YhPpzzAPV4', 'XRr0zdN2GI1', 'Vh8GEsuwkJo', 'FOn8clLHeys', 'MZ696AQzbZM', '_2krcbn3HX0V'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, K6WhBlaIGoubgiXm85xVKg90d70tAEzArIMwc4ieBc.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_9fKNSiW6kTLZsS9m9hTBpMXqVUeLounTntT2oDcGPsroWtaNHqk', '_3lGNtbZIh9mOKm8hZL3PROhpvTKG7FBFK3jTyBpgWAeOGsNZwXF', 'yDsNoXkyshzAxL02mxyiiJZeAqxMU5UJvRm7CFqWfZuu1UA4JDq', 'bC20ECQFeaUKjjpbYj7JzNUbABKxPmblGtSxnrd8fJWD1Y3cj5h'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, vgWlVAySzP7O3THtCP5fBBa6AikzpVbLuyqaYt6a7HYMS2pskOYRhMkSwgK.csHigh entropy of concatenated method names: 'MCdp7Zp68uIqZgPdX42mybfi1joiJMkaZ23ZgmN5VJh1BvsdCozsjkSW29l', '_3rdwbmqIu9p4butVFLN998AEtSxqG5GyXyeHWmVrvATPEsef1ckjuBsMEjX', 'cdvBzfV4v548QpITVIDo3ChkOsJ4jdpejK33mesrb6RjAbUuDl2bK7NfJxy', 'RIW6O7j7AkgymKbW28KXD8vUL2un5yEvCwtIetfquQcPfrVlzznFLeTwvfc', '_5vdcV98mboiVc359mw22qkNRhmE7fzbwlve96tQe4gUYL429YdiPS4kTxpZ', '_8FI8dtlQJr77FXsF0sl5Ce3GIZ1Zxla8wPtFcMubB2Gbg8WVNGck9jBSCMA', 'ktopJNH9Fp8JYB3f7NXEh6P7NtVmGLCyXuwh3PB9IICJdhN7qTB5xddWXeL', 'KD8WEl8KFcAh2LBnRBYUgT3SXZN9d4BbqVxNcLyXYLx8BHQWOXXO6yVShtG', 'dBcxQ1vZlmaJY331k9mXDSJYgg1Nj0OpeTqxPr0xtNN6iSYzZemHFNXMV1n', 'twXtoURXiH5dZKAP01ZmZo0jem0dhWFX1C70v8sqzgsVCQgcrvNKODdhOwB'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, BvR5v2WPH73iyYsHaICgMTE43JF2DmBfOVTs9UMyEfyeq0zbjewa6QcG1ac.csHigh entropy of concatenated method names: 'xWAPJ85EEw6cputoAkYJxOyo9g9JdYvi66fcjj5xRj1TV6QUumbN7Ry4A0G', 'MYGsHkoP4vija1zhSZPQnAFxn2wkOckwtcNqTzKxN89HcWXjG3QG5ipyznc', 'zgbbb3qQFs7CAYfCHvNiqaNU75in3cmgbvTtc7mnt33lBlDLb5VHdtsCvN6', 'WRXGPidRBVP5p8bSZBmVZLZdYqFhdwtuQpVVq0GPFoQywosgY2QNGft39AW', 'zNaR3azFSwOWB5ydKLB8BQQuC2cogNCCNqRPi8H2hd2JZUn6bgVf138w2b1', 'LSJ5RzuDfa4gjH20qPxhQdIpf1N8Ib5TRj6QqDOT3oqansbBYFhav84Cgv1', 'qnR1OGpcUdIunKF66SgSerFLDxRzhEYESHVXkQlOxNaAUS1JEmrrxYq4lvJ', 'BwQgFYCK4gQM8LcnwELGBO4UPbz0ERGJfPMAy8w4RHHbqOiJzEIliFKv2e2', 'whtFbWjvYHHHhmbx84hSZ5gM8nrNtmH3yKVn2ISRLsaWba66Fe3FkCUR7Hg', '_1KuqfXFITQeYyvd01e1SG158xpK6JAbVWt8bS05rWf7JZRov7pC31N1VeFh'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, K3EtGcFLetA04ODNdK5g4Tlc3zyYrVKESf.csHigh entropy of concatenated method names: 'DFls8uDkadRWFVBNw8WktDBnRfPsv3rWzJ', 'nHTtaLtmRlob1IlRbBSDxI1iXOjfx5x2Zx0OmCx9JGz5HE9Fah64Ldy4kBDXyJiNUJ0ac', 'PYoPnnHBtvWp1kpYmUtpCYAN7Td7NgBR2zzEk9BMqWKiNbVbdpp3UmT3UewXb9tiyIZMb', 'agCW5GDgWjXEGFvQhM4Ixonr0NbtRkYRfQXZSRK1jzpGcXxVzcKEXaBEVk6CyooiuVcDu', 'cvvuUjaoHcVpvTqcIlcXpawOgR79ftSYRg2yuaBrY2WrV93sQp9kGAOs2zcKpPJK51CKp'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.csHigh entropy of concatenated method names: '_4I7FHtah9ZHtwnhrBn7BgWR8enKypo9kuVRdOYdguDegM5e6St4ccacTNV9V1c7ShoVaNudWwx2ZZlUgv4uyee63oT4x', 'DGOhZm2kY6a41lNzUAO7Jv94x7DBFG4HFfb93sGOOZ9YfaI44JdpDbf5KVCxlZLQzdkK7PL4P9rrVFNN7gXvyynX3xNK', 'dcTkVmnN5jD1wd31jQjqfIZYwTsNmS93DU58HWrA3FT93LgA4Gs7bU8AVZw9QXofTSqVDIRNfhPQBH9D12JcJg2Onsdl', 'FlnbQ5Y4dlNRbFi0auRh1Xvv8d0QNwTQR85qt1hzV58cbrawr08e88UyuNkNwB8pLDLGZ0Qhxv2BGMN1fO1QO3N5ZhU1', '_74fVxMYuNqHfDzB13sg6C5ITRxn4xexPJrPX7V81gl1y81BL6AuzqB2c4xlzkdUHb40KYimUrpCUlF7rnCqQYtACF3Ji', '_7tGmT2Wg5h5kkF4vDiAE6BH9mrhcq0HBgwRakuJ2kgL9afPXD4hAOMyrueJemC5846ISkVXxivZBp9Mi7EaPqZqXWnGD', '_7JLXlGlwkSuct6Kp5eHUfAAmUJxQuLohzxYVcm96E7gnb1Lnhun7rmagRrLGQIsu8CxcUjftCcVFvU0rDNXBi4708Mta', 'L1ha6jStyHqTtSmY0TQL0RPNRzx5L0Aps85U3uJjO6Av4yaAboT0IVCp0AA9QiV92XIssNazhsrf4rRcXFfJXROwBwnF', 'TGomXW7PpfX7coWdD02EZkzbdu85mq6HmGne9rW3kJDR7Wop9jGYBCO9DRf10DGLvbl9KvqlSQ57EGwmxLdLaw2HHCAc', 'zIt5aLiqzmQYh43rmy2baovzJo9hCPyTeXihOIa1yiau43zmJ0iIyjFPjz6QtaVTKDZTTDg6s18SjCBjUOlCRb8mZ7Hj'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, z0ejMO0H72Lgpu4KAimc0W6XopbPWmkq6t.csHigh entropy of concatenated method names: 'ikfRuUei3gZqMOIcVl5ucGZnLO1KieMb2r', 'Xy20OXrOKuK2CWGzmRrDcrS5PUHtqBiZBP', 'kMQKD36wRFbYUvcd1jhgNXxg2AaNaTf2e5', 'ywaCHtqx4FrhV8zelZjA2rcATGscWHpmf7', 'wxg5bV6r7EkR6gbbzleGXxb5S94ORbEpVO', 'BqOssfaMgvqjPqGCkCgHWNCBdi3MpeFd3i', 'DA2s8ELlaW2Rxgyv35ISpZAcmYy1H1yCPu', 'BGbfuIOFRXuV4w6oE17Jt9s87xKxVu20re', 'IeXIFqYGYs2E5rC8HZZDOpgkngoZuyS3sW', '_8YiIOLrg6qMiShgij0tPyI1SQ41IznKNTK'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.csHigh entropy of concatenated method names: 'UzJlsKhqZj8jO29IZ4HiWvfNK1L8hjUSt3', 'APgyezhcHTrtvaXJHHFg7ynSvUZ8CZqWeZ', 's4nAyMN3s82zj5I6ZWhX4AVZfy0P1wXPuC', 'Tdf8ibS05oGw5qvUMQdcbsxEjsBFSvyJDv', 'FcO6LKpu7ljOfDRDMksS3S9b7eL7HMnxlO', 'y4XfJOuqzs60tQfr7P87Vjy6ztHDodDk9y', 'xZm29jVp2tZThckkUtqfTEhMwv3wSEGwSz', '_66LBAj82u6thVVKFs1srk1oVo7ZFavKRtR', 'HPdVNxIjLXJ0wO2jp7CfZVmQYokzEtGPPe', 'VVvvKG2lnskD3hjyThQf0zirWxxHp27vfz'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, vzNrDBdAQYZ7dTTheTLxGK4cw4WdNxOiqz.csHigh entropy of concatenated method names: 'GIuD7Apa0GbB9885TWo6NIvqkZu5Ogg7QS', 'oc2J6qnUjBHgZeqPmgzsBwuI8SiCh3GnuJ', 'FKGhoNNCnkTAL8hWl4TJN5Fth1vRFxegHk', 'V9DqPlsHPnIRk6U8cl4pSeOVs1VuanK3EN', 'rKKgMSHwysVmPDOuWXx7huykclWL8JMxySHhb7RRDZDPEmyoHIRJLOzT63UwDuDI5WOL5', 'y523m5NYA0NorLhvhQNwdMbTNqKC01OVX4pW3FkiRADbhkx3SMqt1j1A0wpyeLYKP6Q1C', 'JAgrqIoz7cYZlP6PsJWqlOEq2F6j6zJG2GrYVpH0Y3LC3moJk7sY9JK1hAGqrrPujFWHZ', 'CI3tgTWTbLa19T1PlDjBab35adeNaHaNuCTws53DzdFxiq5g0dlgEL1EvBe9B0YsOwVBx', 'XphGSTIWdYBcyc2aLeenOJLuZy2OY8iCchPIHRKFjt5qyjXy1aAwD8wosyssHgKLmTfPg', 'Im8fgnSLfrxxiRoPBm2eyn6e9qY810BLWmL5zLyTYux92Pa6rhNuSyD1AYnfD3zramnP0'
                      Source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, 6M7XeKP2IA69yV7J0faCjVkgqAaozD2eyJ.csHigh entropy of concatenated method names: '_2vEvgeGrHTniH7RRVuhNyiVkAYrQ6YLB1s', 'xzAqkEHwHXToJuORnFs5PSuwXHotfkQf4Ioc6', 'Y2vPj8ZvUvOFnNz7xqdqEI3bGzd0NSbKtYnLp', 'M3Vco5RvnJO5YoUPzloxreC4cKvmCD0aKpnuG', '_5zHi8xTbXMp5bSc30l8Mz2egbPdG37iaq4FfY'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, fZxKo0R9gHXQ0DMv7wrFv6fFWuutND4Wdo1mB77p7ZNRdJblVPPI5huPpT2DEdZ2Ht289mbNLK.csHigh entropy of concatenated method names: 'DPhQWJD5QH2AzOs5GCIYUUZPuvJXhEUeY4bw80lQKW0mObYjUqV', 'mmPsJknc0rusxKZKeoibNNOORCVDsB0F6I7Kt7lOQ6Az5LtBHTB', '_5Up93SMffx1to9iPBZPUyd0O0A3539oHRFZxzyV0r1Xw6Hr5uQx', 'UdFaYg9FvK9X7hceozvN1ZRoGJNMICF5Ck3kLRs2S3Upx653V9p'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, llh7f0sYaLxi6yXrfPaBFl6UJCVXBttiOH.csHigh entropy of concatenated method names: 'PfAjvP7x5wLaIINw0FvZiN16SipvlSBDa1', 'QDHD5swMYFyK3NYnES67tyzqyWwmatDRYr', 'lvzcn3KcfH0l7qGq41a', 'OcDBnUMjjag', '_2YhPpzzAPV4', 'XRr0zdN2GI1', 'Vh8GEsuwkJo', 'FOn8clLHeys', 'MZ696AQzbZM', '_2krcbn3HX0V'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, K6WhBlaIGoubgiXm85xVKg90d70tAEzArIMwc4ieBc.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_9fKNSiW6kTLZsS9m9hTBpMXqVUeLounTntT2oDcGPsroWtaNHqk', '_3lGNtbZIh9mOKm8hZL3PROhpvTKG7FBFK3jTyBpgWAeOGsNZwXF', 'yDsNoXkyshzAxL02mxyiiJZeAqxMU5UJvRm7CFqWfZuu1UA4JDq', 'bC20ECQFeaUKjjpbYj7JzNUbABKxPmblGtSxnrd8fJWD1Y3cj5h'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, vgWlVAySzP7O3THtCP5fBBa6AikzpVbLuyqaYt6a7HYMS2pskOYRhMkSwgK.csHigh entropy of concatenated method names: 'MCdp7Zp68uIqZgPdX42mybfi1joiJMkaZ23ZgmN5VJh1BvsdCozsjkSW29l', '_3rdwbmqIu9p4butVFLN998AEtSxqG5GyXyeHWmVrvATPEsef1ckjuBsMEjX', 'cdvBzfV4v548QpITVIDo3ChkOsJ4jdpejK33mesrb6RjAbUuDl2bK7NfJxy', 'RIW6O7j7AkgymKbW28KXD8vUL2un5yEvCwtIetfquQcPfrVlzznFLeTwvfc', '_5vdcV98mboiVc359mw22qkNRhmE7fzbwlve96tQe4gUYL429YdiPS4kTxpZ', '_8FI8dtlQJr77FXsF0sl5Ce3GIZ1Zxla8wPtFcMubB2Gbg8WVNGck9jBSCMA', 'ktopJNH9Fp8JYB3f7NXEh6P7NtVmGLCyXuwh3PB9IICJdhN7qTB5xddWXeL', 'KD8WEl8KFcAh2LBnRBYUgT3SXZN9d4BbqVxNcLyXYLx8BHQWOXXO6yVShtG', 'dBcxQ1vZlmaJY331k9mXDSJYgg1Nj0OpeTqxPr0xtNN6iSYzZemHFNXMV1n', 'twXtoURXiH5dZKAP01ZmZo0jem0dhWFX1C70v8sqzgsVCQgcrvNKODdhOwB'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, BvR5v2WPH73iyYsHaICgMTE43JF2DmBfOVTs9UMyEfyeq0zbjewa6QcG1ac.csHigh entropy of concatenated method names: 'xWAPJ85EEw6cputoAkYJxOyo9g9JdYvi66fcjj5xRj1TV6QUumbN7Ry4A0G', 'MYGsHkoP4vija1zhSZPQnAFxn2wkOckwtcNqTzKxN89HcWXjG3QG5ipyznc', 'zgbbb3qQFs7CAYfCHvNiqaNU75in3cmgbvTtc7mnt33lBlDLb5VHdtsCvN6', 'WRXGPidRBVP5p8bSZBmVZLZdYqFhdwtuQpVVq0GPFoQywosgY2QNGft39AW', 'zNaR3azFSwOWB5ydKLB8BQQuC2cogNCCNqRPi8H2hd2JZUn6bgVf138w2b1', 'LSJ5RzuDfa4gjH20qPxhQdIpf1N8Ib5TRj6QqDOT3oqansbBYFhav84Cgv1', 'qnR1OGpcUdIunKF66SgSerFLDxRzhEYESHVXkQlOxNaAUS1JEmrrxYq4lvJ', 'BwQgFYCK4gQM8LcnwELGBO4UPbz0ERGJfPMAy8w4RHHbqOiJzEIliFKv2e2', 'whtFbWjvYHHHhmbx84hSZ5gM8nrNtmH3yKVn2ISRLsaWba66Fe3FkCUR7Hg', '_1KuqfXFITQeYyvd01e1SG158xpK6JAbVWt8bS05rWf7JZRov7pC31N1VeFh'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, K3EtGcFLetA04ODNdK5g4Tlc3zyYrVKESf.csHigh entropy of concatenated method names: 'DFls8uDkadRWFVBNw8WktDBnRfPsv3rWzJ', 'nHTtaLtmRlob1IlRbBSDxI1iXOjfx5x2Zx0OmCx9JGz5HE9Fah64Ldy4kBDXyJiNUJ0ac', 'PYoPnnHBtvWp1kpYmUtpCYAN7Td7NgBR2zzEk9BMqWKiNbVbdpp3UmT3UewXb9tiyIZMb', 'agCW5GDgWjXEGFvQhM4Ixonr0NbtRkYRfQXZSRK1jzpGcXxVzcKEXaBEVk6CyooiuVcDu', 'cvvuUjaoHcVpvTqcIlcXpawOgR79ftSYRg2yuaBrY2WrV93sQp9kGAOs2zcKpPJK51CKp'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, s1zDChMR3v6pFTdTev1irCmHmU1wJwIWDbDCRbkB04x0k5VFirFGX15ek7YyWoQgechSINTmzW2Z0zYsJQCYgEg0npXA.csHigh entropy of concatenated method names: '_4I7FHtah9ZHtwnhrBn7BgWR8enKypo9kuVRdOYdguDegM5e6St4ccacTNV9V1c7ShoVaNudWwx2ZZlUgv4uyee63oT4x', 'DGOhZm2kY6a41lNzUAO7Jv94x7DBFG4HFfb93sGOOZ9YfaI44JdpDbf5KVCxlZLQzdkK7PL4P9rrVFNN7gXvyynX3xNK', 'dcTkVmnN5jD1wd31jQjqfIZYwTsNmS93DU58HWrA3FT93LgA4Gs7bU8AVZw9QXofTSqVDIRNfhPQBH9D12JcJg2Onsdl', 'FlnbQ5Y4dlNRbFi0auRh1Xvv8d0QNwTQR85qt1hzV58cbrawr08e88UyuNkNwB8pLDLGZ0Qhxv2BGMN1fO1QO3N5ZhU1', '_74fVxMYuNqHfDzB13sg6C5ITRxn4xexPJrPX7V81gl1y81BL6AuzqB2c4xlzkdUHb40KYimUrpCUlF7rnCqQYtACF3Ji', '_7tGmT2Wg5h5kkF4vDiAE6BH9mrhcq0HBgwRakuJ2kgL9afPXD4hAOMyrueJemC5846ISkVXxivZBp9Mi7EaPqZqXWnGD', '_7JLXlGlwkSuct6Kp5eHUfAAmUJxQuLohzxYVcm96E7gnb1Lnhun7rmagRrLGQIsu8CxcUjftCcVFvU0rDNXBi4708Mta', 'L1ha6jStyHqTtSmY0TQL0RPNRzx5L0Aps85U3uJjO6Av4yaAboT0IVCp0AA9QiV92XIssNazhsrf4rRcXFfJXROwBwnF', 'TGomXW7PpfX7coWdD02EZkzbdu85mq6HmGne9rW3kJDR7Wop9jGYBCO9DRf10DGLvbl9KvqlSQ57EGwmxLdLaw2HHCAc', 'zIt5aLiqzmQYh43rmy2baovzJo9hCPyTeXihOIa1yiau43zmJ0iIyjFPjz6QtaVTKDZTTDg6s18SjCBjUOlCRb8mZ7Hj'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, z0ejMO0H72Lgpu4KAimc0W6XopbPWmkq6t.csHigh entropy of concatenated method names: 'ikfRuUei3gZqMOIcVl5ucGZnLO1KieMb2r', 'Xy20OXrOKuK2CWGzmRrDcrS5PUHtqBiZBP', 'kMQKD36wRFbYUvcd1jhgNXxg2AaNaTf2e5', 'ywaCHtqx4FrhV8zelZjA2rcATGscWHpmf7', 'wxg5bV6r7EkR6gbbzleGXxb5S94ORbEpVO', 'BqOssfaMgvqjPqGCkCgHWNCBdi3MpeFd3i', 'DA2s8ELlaW2Rxgyv35ISpZAcmYy1H1yCPu', 'BGbfuIOFRXuV4w6oE17Jt9s87xKxVu20re', 'IeXIFqYGYs2E5rC8HZZDOpgkngoZuyS3sW', '_8YiIOLrg6qMiShgij0tPyI1SQ41IznKNTK'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, q4EXxgqFBVfebrrJRQRZsnHCyCxnnRNNkx.csHigh entropy of concatenated method names: 'UzJlsKhqZj8jO29IZ4HiWvfNK1L8hjUSt3', 'APgyezhcHTrtvaXJHHFg7ynSvUZ8CZqWeZ', 's4nAyMN3s82zj5I6ZWhX4AVZfy0P1wXPuC', 'Tdf8ibS05oGw5qvUMQdcbsxEjsBFSvyJDv', 'FcO6LKpu7ljOfDRDMksS3S9b7eL7HMnxlO', 'y4XfJOuqzs60tQfr7P87Vjy6ztHDodDk9y', 'xZm29jVp2tZThckkUtqfTEhMwv3wSEGwSz', '_66LBAj82u6thVVKFs1srk1oVo7ZFavKRtR', 'HPdVNxIjLXJ0wO2jp7CfZVmQYokzEtGPPe', 'VVvvKG2lnskD3hjyThQf0zirWxxHp27vfz'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, vzNrDBdAQYZ7dTTheTLxGK4cw4WdNxOiqz.csHigh entropy of concatenated method names: 'GIuD7Apa0GbB9885TWo6NIvqkZu5Ogg7QS', 'oc2J6qnUjBHgZeqPmgzsBwuI8SiCh3GnuJ', 'FKGhoNNCnkTAL8hWl4TJN5Fth1vRFxegHk', 'V9DqPlsHPnIRk6U8cl4pSeOVs1VuanK3EN', 'rKKgMSHwysVmPDOuWXx7huykclWL8JMxySHhb7RRDZDPEmyoHIRJLOzT63UwDuDI5WOL5', 'y523m5NYA0NorLhvhQNwdMbTNqKC01OVX4pW3FkiRADbhkx3SMqt1j1A0wpyeLYKP6Q1C', 'JAgrqIoz7cYZlP6PsJWqlOEq2F6j6zJG2GrYVpH0Y3LC3moJk7sY9JK1hAGqrrPujFWHZ', 'CI3tgTWTbLa19T1PlDjBab35adeNaHaNuCTws53DzdFxiq5g0dlgEL1EvBe9B0YsOwVBx', 'XphGSTIWdYBcyc2aLeenOJLuZy2OY8iCchPIHRKFjt5qyjXy1aAwD8wosyssHgKLmTfPg', 'Im8fgnSLfrxxiRoPBm2eyn6e9qY810BLWmL5zLyTYux92Pa6rhNuSyD1AYnfD3zramnP0'
                      Source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, 6M7XeKP2IA69yV7J0faCjVkgqAaozD2eyJ.csHigh entropy of concatenated method names: '_2vEvgeGrHTniH7RRVuhNyiVkAYrQ6YLB1s', 'xzAqkEHwHXToJuORnFs5PSuwXHotfkQf4Ioc6', 'Y2vPj8ZvUvOFnNz7xqdqEI3bGzd0NSbKtYnLp', 'M3Vco5RvnJO5YoUPzloxreC4cKvmCD0aKpnuG', '_5zHi8xTbXMp5bSc30l8Mz2egbPdG37iaq4FfY'

                      Persistence and Installation Behavior

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts them
                      Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\msedge.exeJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeFile created: C:\Windows\msedge.exeJump to dropped file
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeFile created: C:\Windows\msedge.exeJump to dropped file
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: IAdjMfB2A5.exeBinary or memory string: [1;34M >NUL 2>&1-TASKKILL /IM EPICGAMESLAUNCHER.EXE /FTASKKILL /IM FORTNITECLIENT-WIN64-SHIPPING_BE.EXE /FTASKKILL /IM FORTNITECLIENT-WIN64-SHIPPING.EXE /FTASKKILL /IM X64DBG.EXECLSNET | PERMANENT SPOOFER
                      Source: IAdjMfB2A5.exe, msedge.exe, 0000000D.00000002.2264433685.0000000002D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: IAdjMfB2A5.exe, msedge.exe.0.drBinary or memory string: SBIEDLL.DLLG4MBQDARJJASRK66WTM8W0KKYNCI0TTFT7J0FKJVWTLFQHNGNMOUGKIARDYGSO7J0BPUKMYOAIX7CGT3N2YD9HFLOXPYDBC4TK9H7VK3GGXKAS0MXBBGQ66GPWAZGSZYKF1QBEP8VO7ZWIOA2F8W6O7MAC2EGLMSRQBMOKCVE2SC6D6TSNWYZVWIIZIZHQTA70U5EDEERCUOGSKQGWXVTLZB7ZWI2K8CHWBPCPTZYJZBQE1ETPWYLU71KB13HJ6WCAWFGJF0D0DOOTXP2SFDQILWUOQRWSYYOUGZIIJGSLXDVA9OZB3SVEQTGZ2BFJHIPSMALPSRZSBVVJ1WZ3KXSQUPSM3SLQEKE7EGPMVVSFI9G7RCXVJVNBVFWY9LT8MN8RATUJRTMDRQFTZDHEQZUFRGECCQXIAXGCPYBNV8E97WPIZYELA1PJHQKWI5EQXNLHGLTZX6KQ59I2N1I9XPGORLFUPE8BLPSB2V4WBL1IXD95CGNCL9XLLHXKTGKLOOCJVPXIUUG8UOWNV6QZ8P1MPWARRLXE3NJ6VWSON4BCYPR9PS4BGTDIQEWVWJGFIBLWQUQVP63YVV0A3IGOVNFDYV2U5X6TA1RNDV6STQCPJY4BTWG7HGC8E00XNH9GHD2TF9WNLB0QBON9DT412YD8NT6RFKI7ROV9Q3GQKYKW0T7VTJRK1FLIRMUABOXUJMBAEZXRSUCGSAMGBCYLIHPMSMINFO
                      Source: IAdjMfB2A5.exeBinary or memory string: TASKKILL /IM X64DBG.EXE
                      Source: C:\Windows\msedge.exeMemory allocated: FF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\msedge.exeMemory allocated: 1AD40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\System32\timeout.exe TID: 3716Thread sleep count: 40 > 30Jump to behavior
                      Source: C:\Windows\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: Amcache.hve.26.drBinary or memory string: VMware
                      Source: Amcache.hve.26.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.26.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.26.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.26.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.26.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.26.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.26.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: msedge.exe, 0000000D.00000002.2264851950.000000001BBF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllysJ
                      Source: Amcache.hve.26.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.26.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.26.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.26.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: IAdjMfB2A5.exe, 00000000.00000002.2069048420.000002351B6B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%%
                      Source: Amcache.hve.26.drBinary or memory string: vmci.sys
                      Source: Amcache.hve.26.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.26.drBinary or memory string: vmci.syshbin`
                      Source: msedge.exe.0.drBinary or memory string: vmware
                      Source: Amcache.hve.26.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: Amcache.hve.26.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.26.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.26.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.26.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.26.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.26.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.26.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.26.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.26.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.26.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.26.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.26.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.26.drBinary or memory string: vmci.inf_amd64_68ed49469341f563

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Windows\msedge.exeCode function: 13_2_00007FF848E1764A CheckRemoteDebuggerPresent,13_2_00007FF848E1764A
                      Source: C:\Windows\msedge.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeCode function: 0_2_00007FF67443E718 GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_00007FF67443E718
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeCode function: 0_2_00007FF67443E718 GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_00007FF67443E718
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeCode function: 0_2_00007FF6743C1820 GetProcessHeap,0_2_00007FF6743C1820
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\msedge.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeCode function: 0_2_00007FF67443E080 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF67443E080
                      Source: C:\Windows\msedge.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM EpicGamesLauncher.exe /FJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM FortniteClient-Win64-Shipping_BE.exe /FJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM FortniteClient-Win64-Shipping.exe /FJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /IM x64dbg.exeJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\msedge.exeJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\IAdjMfB2A5.exe" MD5 | find /i /v "md5" | find /i /v "certutil"Jump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM EpicGamesLauncher.exe /FJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM FortniteClient-Win64-Shipping_BE.exe /FJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM FortniteClient-Win64-Shipping.exe /FJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM x64dbg.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\msedge.exe C:\Windows\msedge.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\IAdjMfB2A5.exe" MD5 Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "md5" Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "certutil"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM EpicGamesLauncher.exe /FJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM FortniteClient-Win64-Shipping_BE.exe /FJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM FortniteClient-Win64-Shipping.exe /FJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /IM x64dbg.exeJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeCode function: 0_2_00007FF67443D5C0 cpuid 0_2_00007FF67443D5C0
                      Source: C:\Windows\msedge.exeQueries volume information: C:\Windows\msedge.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IAdjMfB2A5.exeCode function: 0_2_00007FF67443E590 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF67443E590
                      Source: C:\Windows\msedge.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.26.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.26.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.26.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.26.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: IAdjMfB2A5.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.msedge.exe.a80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IAdjMfB2A5.exe.7ff6743c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.IAdjMfB2A5.exe.7ff6743c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000000.2036559031.0000000000A82000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2264433685.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2025716296.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: IAdjMfB2A5.exe PID: 4324, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: msedge.exe PID: 764, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Windows\msedge.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: IAdjMfB2A5.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IAdjMfB2A5.exe.7ff674462000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.msedge.exe.a80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.IAdjMfB2A5.exe.7ff674462000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IAdjMfB2A5.exe.7ff6743c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.IAdjMfB2A5.exe.7ff6743c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000000.2036559031.0000000000A82000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2264433685.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2025716296.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: IAdjMfB2A5.exe PID: 4324, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: msedge.exe PID: 764, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Windows\msedge.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		11
                      Process Injection                      		12
                      Masquerading                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services12
                      Archive Collected Data                      		12
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts2
                      Command and Scripting Interpreter                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		4
                      Virtualization/Sandbox Evasion                      		LSASS Memory461
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                      Disable or Modify Tools                      		Security Account Manager4
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS1
                      System Network Configuration Discovery                      		Distributed Component Object ModelInput Capture13
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets35
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Obfuscated Files or Information                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557197 Sample: IAdjMfB2A5.exe Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 50 keyauth.win 2->50 52 ip-api.com 2->52 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 10 other signatures 2->66 9 IAdjMfB2A5.exe 2 2->9         started        signatures3 process4 dnsIp5 56 keyauth.win 104.26.0.5, 443, 49708 CLOUDFLARENETUS United States 9->56 58 127.0.0.1 unknown unknown 9->58 48 C:\Windows\msedge.exe, PE32 9->48 dropped 13 cmd.exe 1 9->13         started        16 cmd.exe 1 9->16         started        18 cmd.exe 1 9->18         started        20 7 other processes 9->20 file6 process7 signatures8 76 Drops executables to the windows directory (C:\Windows) and starts them 13->76 22 msedge.exe 14 2 13->22         started        26 certutil.exe 3 1 16->26         started        28 find.exe 1 16->28         started        30 find.exe 1 16->30         started        32 cmd.exe 1 18->32         started        34 taskkill.exe 1 20->34         started        36 taskkill.exe 1 20->36         started        38 taskkill.exe 1 20->38         started        40 taskkill.exe 1 20->40         started        process9 dnsIp10 54 ip-api.com 208.95.112.1, 49712, 80 TUT-ASUS United States 22->54 68 Antivirus detection for dropped file 22->68 70 Multi AV Scanner detection for dropped file 22->70 72 Machine Learning detection for dropped file 22->72 74 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 22->74 42 WerFault.exe 19 16 22->42         started        44 conhost.exe 32->44         started        46 timeout.exe 1 32->46         started        signatures11 process12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      IAdjMfB2A5.exe58%ReversingLabsWin64.Trojan.Dacic
                      IAdjMfB2A5.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Windows\msedge.exe100%AviraTR/Spy.Gen
                      C:\Windows\msedge.exe100%Joe Sandbox ML
                      C:\Windows\msedge.exe88%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      45.84.199.1520%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      keyauth.win
                      		104.26.0.5
                      		truefalse
                        		high
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          45.84.199.152true
                          • Avira URL Cloud: safe
                          		unknown
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://upx.sf.netAmcache.hve.26.drfalse
                              		high
                              https://keyauth.win/api/1.2/umLIAdjMfB2A5.exe, 00000000.00000002.2069048420.000002351B6AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://keyauth.win/api/1.2/emcIAdjMfB2A5.exe, 00000000.00000002.2069048420.000002351B6AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namemsedge.exe, 0000000D.00000002.2264433685.0000000002DE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://curl.haxx.se/docs/http-cookies.htmlIAdjMfB2A5.exefalse
                                      		high
                                      https://keyauth.win/api/1.2/IAdjMfB2A5.exe, 00000000.00000002.2069048420.000002351B6AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://keyauth.win/api/1.2/em5IAdjMfB2A5.exe, 00000000.00000002.2069048420.000002351B6AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://ip-api.commsedge.exe, 0000000D.00000002.2264433685.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000002.2264433685.0000000002E01000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            208.95.112.1
                                            		ip-api.comUnited States
                                            		53334TUT-ASUSfalse
                                            104.26.0.5
                                            		keyauth.winUnited States
                                            		13335CLOUDFLARENETUSfalse

                                            Private

                                            IP
                                            127.0.0.1

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1557197
                                            Start date and time:2024-11-17 19:12:05 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 5m 33s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:30
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:IAdjMfB2A5.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:f126b1c0b4ff973d9618b7287d011b61731c2b0e5e9960c72f5ef444288aa8dc.exe
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@41/6@2/3
                                            EGA Information:
                                            • Successful, ratio: 50%
                                            HCA Information:Failed
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 20.42.73.29
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target IAdjMfB2A5.exe, PID 4324 because there are no executed function
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                            • VT rate limit hit for: IAdjMfB2A5.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            13:13:17API Interceptor1x Sleep call for process: WerFault.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            208.95.112.1EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                                            • ip-api.com/json/?fields=225545
                                            program.exeGet hashmaliciousBlank GrabberBrowse
                                            • ip-api.com/json/?fields=225545
                                            skuld.exeGet hashmaliciousSkuld StealerBrowse
                                            • ip-api.com/line/?fields=hosting
                                            SolaraBostrappers.exeGet hashmaliciousDCRatBrowse
                                            • ip-api.com/line/?fields=hosting
                                            svhost.exeGet hashmaliciousDCRatBrowse
                                            • ip-api.com/line/?fields=hosting
                                            Midnight.exeGet hashmaliciousXWormBrowse
                                            • ip-api.com/line/?fields=hosting
                                            exe030.exeGet hashmaliciousXWormBrowse
                                            • ip-api.com/line/?fields=hosting
                                            GRAINS.vbsGet hashmaliciousAgentTeslaBrowse
                                            • ip-api.com/line/?fields=hosting
                                            SAMPLE_PHOTO.jsGet hashmaliciousAgentTeslaBrowse
                                            • ip-api.com/line/?fields=hosting
                                            RuntimeusererVers.exeGet hashmaliciousPython StealerBrowse
                                            • ip-api.com/json
                                            104.26.0.5SecuriteInfo.com.Win64.Evo-gen.9614.31304.exeGet hashmaliciousUnknownBrowse
                                              SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exeGet hashmaliciousUnknownBrowse
                                                SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exeGet hashmaliciousUnknownBrowse
                                                  SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exeGet hashmaliciousUnknownBrowse
                                                    SecuriteInfo.com.Variant.Tedy.627915.599.8749.exeGet hashmaliciousUnknownBrowse
                                                      SecuriteInfo.com.Variant.Tedy.627915.599.8749.exeGet hashmaliciousUnknownBrowse
                                                        lUAc7lqa56.exeGet hashmaliciousUnknownBrowse
                                                          xVmySfWfcW.exeGet hashmaliciousUnknownBrowse
                                                            LDlanZur0i.exeGet hashmaliciousUnknownBrowse
                                                              xxImTScxAq.exeGet hashmaliciousUnknownBrowse

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                keyauth.winSecuriteInfo.com.Win64.Evo-gen.9614.31304.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                SecuriteInfo.com.Win64.Evo-gen.9614.31304.exeGet hashmaliciousUnknownBrowse
                                                                • 172.67.72.57
                                                                SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                SecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.1.5
                                                                SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.1.5
                                                                SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                SecuriteInfo.com.Variant.Tedy.627915.599.8749.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                SecuriteInfo.com.Variant.Tedy.627915.599.8749.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                lUAc7lqa56.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                ip-api.comEternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                                                                • 208.95.112.1
                                                                program.exeGet hashmaliciousBlank GrabberBrowse
                                                                • 208.95.112.1
                                                                skuld.exeGet hashmaliciousSkuld StealerBrowse
                                                                • 208.95.112.1
                                                                SolaraBostrappers.exeGet hashmaliciousDCRatBrowse
                                                                • 208.95.112.1
                                                                svhost.exeGet hashmaliciousDCRatBrowse
                                                                • 208.95.112.1
                                                                Midnight.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                exe030.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                GRAINS.vbsGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                SAMPLE_PHOTO.jsGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                RuntimeusererVers.exeGet hashmaliciousPython StealerBrowse
                                                                • 208.95.112.1

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.97.3
                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.97.3
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Panda Stealer, StealcBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaC, StealcBrowse
                                                                • 188.114.97.3
                                                                https://deliversystand.com/Get hashmaliciousUnknownBrowse
                                                                • 172.67.145.172
                                                                https://deliversystand.com/Get hashmaliciousUnknownBrowse
                                                                • 172.67.145.172
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.97.3
                                                                https://www.yumpu.com/en/document/read/69141128/newreviewreportsheet1124Get hashmaliciousUnknownBrowse
                                                                • 104.18.86.42
                                                                TUT-ASUSEternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                                                                • 208.95.112.1
                                                                program.exeGet hashmaliciousBlank GrabberBrowse
                                                                • 208.95.112.1
                                                                skuld.exeGet hashmaliciousSkuld StealerBrowse
                                                                • 208.95.112.1
                                                                SolaraBostrappers.exeGet hashmaliciousDCRatBrowse
                                                                • 208.95.112.1
                                                                svhost.exeGet hashmaliciousDCRatBrowse
                                                                • 208.95.112.1
                                                                Midnight.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                exe030.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                GRAINS.vbsGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                https://t.ly/-kxCOGet hashmaliciousBraodoBrowse
                                                                • 208.95.112.1
                                                                SAMPLE_PHOTO.jsGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                ce5f3254611a8c095a3d821d44539877SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                SecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                SecuriteInfo.com.Variant.Tedy.627915.599.8749.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                SecuriteInfo.com.Variant.Tedy.627915.599.8749.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                lUAc7lqa56.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                SecuriteInfo.com.FileRepMalware.12632.12594.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                SecuriteInfo.com.FileRepMalware.8628.17723.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5
                                                                SecuriteInfo.com.Win64.MalwareX-gen.29573.28124.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.0.5

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_ac37468f953bf74f5c143a1996c5bd897baf0_8242a2fb_c2713f28-ebf0-4be6-9a28-50f676b8a3e0\Report.wer

                                                                Download File
                                                                Process:C:\Windows\System32\WerFault.exe
                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):65536
                                                                Entropy (8bit):1.1958689255119386
                                                                Encrypted:false
                                                                SSDEEP:192:cb56KNFGF0NxMwaWz8iyU1lxPzuiF3Z24lO8F5:A5vnNxMwa48iFxPzuiF3Y4lO8F
                                                                MD5:4C16961688DB0A4A5FC0ADAA08B15DBE
                                                                SHA1:D51C2DBFCB7F25802477C175441DF83423957322
                                                                SHA-256:7135F3EE5F5CC4DA4BBA235301937A07A25397868AC78148CA908BF5FD756C85
                                                                SHA-512:4E1361CCCEF4E3CC4341B4F6322A799F069495FC3D8CF482B447FE97323020FB081E5C81B52EE340FE1AED5E13614025286C4F02DFFBEEA93F07E5A37FD269C5
                                                                Malicious:false
                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.3.4.0.7.8.1.2.0.9.0.6.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.3.4.0.7.8.1.9.4.3.4.3.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.7.1.3.f.2.8.-.e.b.f.0.-.4.b.e.6.-.9.a.2.8.-.5.0.f.6.7.6.b.8.a.3.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.7.1.7.f.d.8.-.8.5.e.b.-.4.8.5.6.-.b.9.0.0.-.e.a.0.b.6.b.1.5.7.0.2.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.s.e.d.g.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.s.e.d.g.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.f.c.-.0.0.0.1.-.0.0.1.4.-.8.4.a.e.-.1.8.5.3.1.c.3.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.2.f.5.5.1.2.a.6.8.e.8.1.8.7.1.e.c.9.c.0.8.b.1.5.d.1.f.9.f.1.d.0.0.0.0.0.0.0.0.!.0.0.0.0.d.a.9.1.6.3.9.4.4.b.1.f.5.1.4.3.8.b.2.6.0.2.c.b.c.9.5.6.6.0.a.f.4.3.1.7.2.0.6.5.!.m.s.e.d.g.e...e.x.e.....T.a.r.g.e.

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB01.tmp.dmp

                                                                Download File
                                                                Process:C:\Windows\System32\WerFault.exe
                                                                File Type:Mini DuMP crash report, 16 streams, Sun Nov 17 18:13:01 2024, 0x1205a4 type
                                                                Category:dropped
                                                                Size (bytes):443391
                                                                Entropy (8bit):3.0992804073176337
                                                                Encrypted:false
                                                                SSDEEP:3072:RdvQHjcSMP4NJbPUzg57GOJC1CCqKIRP3+v1k8ua34MuMB3l:7oH3MANJbPUzgQwgq7P3QCgs2l
                                                                MD5:61BDEE17CE8ACA53BA5317888F482073
                                                                SHA1:0B10EA7BE0E36F11872C57A5CCFDAFA05824C383
                                                                SHA-256:877CF732585014F90C05C9C730A7DA016C0D8235E4445F05C09CFA7D7CE2C1CC
                                                                SHA-512:0C8351A9DC6D9A5942869B40F0EFF35FCFF39E3C227A0E1AB760E76AE4CC0A1FAFD6AE47D65CD65277D17074ECFF3FF95D44BA1624CB5DEC03CFDDF4DAD2F4E6
                                                                Malicious:false
                                                                Preview:MDMP..a..... .......-2:g........................d...........<...((..........d(.......7..P...........l.......8...........T...........8A.............|6..........h8..............................................................................eJ.......9......Lw......................T...........'2:g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC99.tmp.WERInternalMetadata.xml

                                                                Download File
                                                                Process:C:\Windows\System32\WerFault.exe
                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):6724
                                                                Entropy (8bit):3.7141007852457566
                                                                Encrypted:false
                                                                SSDEEP:96:RSIU6o7wVetbAsMdYZIeW8SnheMl5aMQURC89bqdSDyKfMXOm:R6l7wVeJJMdYZIpXTpDRC89bqAFfSOm
                                                                MD5:89E696EB85F44B2CD202B66ED018141B
                                                                SHA1:5B658371E440AC1CE8BA19E6C3998ED2C5DD9C10
                                                                SHA-256:35A160B27BF1D01B3BE41993073FF5A4C9F39D48451F5C42848B8A6CDC189BEC
                                                                SHA-512:752903B76BB13A2768622182D4D7FAEE8E1E49D9339084746F036473F5A574589F9A60412D223AA55E8C6D6DD7BA79CC1475777B40D2095871C5E3A98E6C76B1
                                                                Malicious:false
                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.4.<./.P.i.d.

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCC9.tmp.xml

                                                                Download File
                                                                Process:C:\Windows\System32\WerFault.exe
                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):4755
                                                                Entropy (8bit):4.418912093473443
                                                                Encrypted:false
                                                                SSDEEP:48:cvIwWl8zs9PJg771I9ydWpW8VYhPYm8M4J10PF8Syq8vw0qHt1Y5juld:uIjf9xI7Rs7VoSJoWeHt+5juld
                                                                MD5:C11F51C6E52445067B88E35AD1520E21
                                                                SHA1:E8D03F5E14420F267202806E47962DB2439A74BE
                                                                SHA-256:113906952EE55DA400B2D5CAFEC95BED57FAF210EA298F94246F2EC056844781
                                                                SHA-512:EB7C4E38050186809097DC57C05047C1067754EFC71C9379578165F74B9A71B0BF4A89D27C7C79B577060573D8C89F0FC07C2FC4E25E9073CB94D499DC04F345
                                                                Malicious:false
                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="592395" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                Download File
                                                                Process:C:\Windows\System32\WerFault.exe
                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                Category:dropped
                                                                Size (bytes):1835008
                                                                Entropy (8bit):4.421913964365036
                                                                Encrypted:false
                                                                SSDEEP:6144:QSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN40uhiTw:7vloTMW+EZMM6DFyC03w
                                                                MD5:B2C8DEB6B981D019A3C68F4318C37A06
                                                                SHA1:C34710CB179411DEE0F31E4C2B04FC19EF409A85
                                                                SHA-256:A3286CEBA27C9EB16015362BE4CF992AB808444CAE812F1F7846105B4C130C10
                                                                SHA-512:0ADC4AD4EF7F06B67602AAE17A3243197110B2A675855241D120FE1FEA4A7FC93D4FB79A995726F1D1FBA0AB3B9D2A3C73B655CCF6676CE18979B612CAD9AE9A
                                                                Malicious:false
                                                                Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...V.9..............................................................................................................................................................................................................................................................................................................................................(R.b........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\msedge.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\IAdjMfB2A5.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):208896
                                                                Entropy (8bit):6.358296180511797
                                                                Encrypted:false
                                                                SSDEEP:3072:LE9ZJhOb+68dbzP/b0GO1ItilKSRUGKXs+S++7KFSbxeY+qDDrMI:1q68dbD/b0mtilKDGqStKEbxI
                                                                MD5:4738E3496A3EFE5F19C57B764EB5BA9B
                                                                SHA1:DA9163944B1F51438B2602CBC95660AF43172065
                                                                SHA-256:CB51764F19E66BB6ACCD7F0418332BAC7759073ED245F0633DDDD53F68E81933
                                                                SHA-512:4CB3029E136471EDF2EBB46D1E4FC3A70E5138A5BD4B3FB182B6746D00C69FD5CF8822C0C90C2BCB4D8276DB0CECAC16EA0198E18A44E755A340495B19CC2238
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Windows\msedge.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\msedge.exe, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\msedge.exe, Author: ditekSHen
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 88%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................,..........NJ... ...`....@.. ....................................@..................................I..O....`..~....................`....................................................... ............... ..H............text...T*... ...,.................. ..`.rsrc...~....`......................@..@.reloc.......`......................@..B................0J......H........c..\.......&.....................................................(....*.r...p*. E/..*..(....*.r)..p*. ~.H.*.s.........s.........s.........s.........*.r...p*.r...p*. h.7.*.ra..p*. .s..*.r...p*. .x!.*.r1..p*. %kU.*..((...*.rg..p*. h.:.*.r...p*. ...*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.rG..p*. R.,.*.r...p*. ..m.*.r...p*. .O..*.r...p*. ..e.*.r...p*. .[j.*.rO..p*.r...p*.r...p*. .(

                                                                Static File Info

                                                                General

                                                                File type:PE32+ executable (console) x86-64, for MS Windows
                                                                Entropy (8bit):6.568896102524296
                                                                TrID:
                                                                • Win64 Executable Console Net Framework (206006/5) 46.24%
                                                                • Win64 Executable Console (202006/5) 45.34%
                                                                • Win64 Executable (generic) Net Framework (21505/4) 4.83%
                                                                • Win64 Executable (generic) (12005/4) 2.69%
                                                                • Generic Win/DOS Executable (2004/3) 0.45%
                                                                File name:IAdjMfB2A5.exe
                                                                File size:887'808 bytes
                                                                MD5:a8bd5b655845ba8a23a38abfd7e1bb03
                                                                SHA1:90b245be80f5beb8b7b0e50bf910e1b4bff1f1cf
                                                                SHA256:f126b1c0b4ff973d9618b7287d011b61731c2b0e5e9960c72f5ef444288aa8dc
                                                                SHA512:f560893e04ee817be99c07a42ea654ce3f2ceaddcb3a644094a5316333ce85911f87eb06c10960673d53050e9b4a60410f0c61169c21e203014ba338138ed664
                                                                SSDEEP:12288:i98NVBjvwSRz04lj4k/GG6yY5adl8M64mzx8B/wmtilK6yEbx9:vV9vT5lj4MGdyY5SWv4mM/eyEr
                                                                TLSH:2615AF2A6FA921EDD1B7C17D84679243E735F48913108BEB12E485BC2F13AEC9E35B11
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!8..@V..@V..@V..8...@V......@V...U..@V...R..@V...S..@V...W..@V.10R..@V.D.R..@V.D.S..@V..+W..@V..@W..AV..._..@V......@V...T..@V

                                                                File Icon

                                                                Icon Hash:00928e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x14007dd9c
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x140000000
                                                                Subsystem:windows cui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x6739ABE2 [Sun Nov 17 08:40:02 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:6
                                                                OS Version Minor:0
                                                                File Version Major:6
                                                                File Version Minor:0
                                                                Subsystem Version Major:6
                                                                Subsystem Version Minor:0
                                                                Import Hash:75eb65370712eb02802f7b58c634fcdd

                                                                Entrypoint Preview

                                                                Instruction
                                                                dec eax
                                                                sub esp, 28h
                                                                call 00007F9604E89F10h
                                                                dec eax
                                                                add esp, 28h
                                                                jmp 00007F9604E89597h
                                                                int3
                                                                int3
                                                                inc eax
                                                                push ebx
                                                                dec eax
                                                                sub esp, 20h
                                                                dec eax
                                                                mov ebx, ecx
                                                                dec eax
                                                                lea ecx, dword ptr [00057DF0h]
                                                                call dword ptr [000033B2h]
                                                                mov eax, dword ptr [000572E8h]
                                                                dec eax
                                                                lea ecx, dword ptr [00057DDDh]
                                                                mov edx, dword ptr [00057DDFh]
                                                                inc eax
                                                                mov dword ptr [000572D3h], eax
                                                                mov dword ptr [ebx], eax
                                                                dec eax
                                                                mov eax, dword ptr [00000058h]
                                                                inc ecx
                                                                mov ecx, 00000010h
                                                                dec esp
                                                                mov eax, dword ptr [eax+edx*8]
                                                                mov eax, dword ptr [000572B8h]
                                                                inc ebx
                                                                mov dword ptr [ecx+eax], eax
                                                                call dword ptr [0000336Ah]
                                                                dec eax
                                                                lea ecx, dword ptr [00057D9Bh]
                                                                dec eax
                                                                add esp, 20h
                                                                pop ebx
                                                                dec eax
                                                                jmp dword ptr [00003407h]
                                                                int3
                                                                int3
                                                                int3
                                                                inc eax
                                                                push ebx
                                                                dec eax
                                                                sub esp, 20h
                                                                dec eax
                                                                mov ebx, ecx
                                                                dec eax
                                                                lea ecx, dword ptr [00057D84h]
                                                                call dword ptr [00003346h]
                                                                cmp dword ptr [ebx], 00000000h
                                                                jne 00007F9604E89744h
                                                                or dword ptr [ebx], FFFFFFFFh
                                                                jmp 00007F9604E89767h
                                                                inc ebp
                                                                xor ecx, ecx
                                                                dec eax
                                                                lea edx, dword ptr [00057D6Ah]
                                                                inc ecx
                                                                or eax, FFFFFFFFh
                                                                dec eax
                                                                lea ecx, dword ptr [00057D57h]
                                                                call dword ptr [00003331h]
                                                                jmp 00007F9604E896FBh
                                                                cmp dword ptr [ebx], FFFFFFFFh
                                                                je 00007F9604E89700h
                                                                dec eax
                                                                mov eax, dword ptr [00000058h]

                                                                Rich Headers

                                                                Programming Language:
                                                                • [IMP] VS2008 SP1 build 30729

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x9ded00x21c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xdc0000x1e8.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0xd70000x4b6c.pdata
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xdd0000x5b0.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x944f00x70.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x945800x28.rdata
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x943b00x140.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x810000xc30.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x7f4400x7f60060ba2880a62710448c4f54fec2421f1cFalse0.47999723994111876data6.419225654128238IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x810000x2026e0x204002e9642c7ad9ab6c4a3f3a372e064e495False0.3608890503875969data5.711691742662163IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xa20000x344600x33a0038780438f09375e5936bff1232bb21d0False0.4958431068401937PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows6.346457468797536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .pdata0xd70000x4b6c0x4c00c08300499ad2af162252297bc101fa2eFalse0.48956620065789475data5.877358715482508IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .rsrc0xdc0000x1e80x200b157b572f7ae8075c9dcb0dc1dd07257False0.54296875data4.762595083624659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xdd0000x5b00x60036ba84efa0a9ce999652b889d8e98882False0.5546875data5.185301277370716IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_MANIFEST0xdc0600x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                                                Imports

                                                                DLLImport
                                                                KERNEL32.dllMultiByteToWideChar, GetEnvironmentVariableA, GetFileType, ReadFile, PeekNamedPipe, WaitForMultipleObjects, CreateFileA, GetFileSizeEx, WideCharToMultiByte, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, MoveFileExA, SleepConditionVariableSRW, GetCurrentThreadId, GetLocaleInfoEx, GetCurrentDirectoryW, CreateDirectoryW, FindClose, FindFirstFileW, QueryPerformanceFrequency, WaitForSingleObjectEx, GetTickCount, QueryPerformanceCounter, VerifyVersionInfoA, LoadLibraryA, GetProcAddress, FreeLibrary, GetSystemDirectoryA, GetFileAttributesExW, AreFileApisANSI, GetFileInformationByHandleEx, WakeAllConditionVariable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VerSetConditionMask, SleepEx, LeaveCriticalSection, EnterCriticalSection, LocalFree, FormatMessageA, SetLastError, QueryFullProcessImageNameW, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameW, GetModuleFileNameA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, VirtualProtect, CreateThread, GetCurrentProcess, DeleteCriticalSection, InitializeCriticalSectionEx, GetProcessHeap, SetConsoleTitleA, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, HeapDestroy, GetLastError, CloseHandle, GetConsoleWindow, Beep, Sleep, GetStdHandle, OutputDebugStringW, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, CreateFileW
                                                                USER32.dllSetWindowLongW, MessageBoxA, GetWindowLongW, SetLayeredWindowAttributes
                                                                MSVCP140.dll_Query_perf_frequency, ??1_Lockit@std@@QEAA@XZ, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?_Xbad_function_call@std@@YAXXZ, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z, ??0_Lockit@std@@QEAA@H@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?uncaught_exception@std@@YA_NXZ, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?_Xout_of_range@std@@YAXPEBD@Z, ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setf@ios_base@std@@QEAAHHH@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ?_Winerror_map@std@@YAHH@Z, ?_Syserror_map@std@@YAPEBDH@Z, ??Bid@locale@std@@QEAA_KXZ, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?good@ios_base@std@@QEBA_NXZ, ?id@?$ctype@D@std@@2V0locale@2@A, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, _Query_perf_counter, ?_Xlength_error@std@@YAXPEBD@Z, ?_Random_device@std@@YAIXZ
                                                                Normaliz.dllIdnToAscii
                                                                WLDAP32.dll
                                                                CRYPT32.dllCertEnumCertificatesInStore, CertFreeCertificateContext, CryptStringToBinaryA, PFXImportCertStore, CryptDecodeObjectEx, CertAddCertificateContextToStore, CertFindExtension, CertCloseStore, CertGetNameStringA, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFreeCertificateChain, CertOpenStore, CertFindCertificateInStore
                                                                WS2_32.dllaccept, closesocket, freeaddrinfo, recvfrom, recv, send, WSAGetLastError, sendto, gethostname, ntohl, bind, select, __WSAFDIsSet, ioctlsocket, listen, htonl, getaddrinfo, WSACleanup, WSAStartup, WSAIoctl, WSASetLastError, connect, socket, setsockopt, ntohs, htons, getsockopt, getsockname, getpeername
                                                                SHLWAPI.dllPathFindFileNameW
                                                                RPCRT4.dllRpcStringFreeA, UuidToStringA, UuidCreate
                                                                PSAPI.DLLGetModuleInformation
                                                                USERENV.dllUnloadUserProfile
                                                                VCRUNTIME140_1.dll__CxxFrameHandler4
                                                                VCRUNTIME140.dll__current_exception_context, __current_exception, strchr, memcpy, __std_exception_destroy, __C_specific_handler, memset, strrchr, __std_exception_copy, __std_terminate, strstr, _CxxThrowException, memchr, memcmp, memmove
                                                                api-ms-win-crt-runtime-l1-1-0.dllexit, _initterm, _get_initial_narrow_environment, system, _set_app_type, _invalid_parameter_noinfo, _cexit, _crt_atexit, __p___argv, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _resetstkoflw, abort, _c_exit, _getpid, strerror, _errno, _beginthreadex, _initterm_e, __sys_nerr, _exit, _seh_filter_exe, _register_thread_local_exe_atexit_callback, _invalid_parameter_noinfo_noreturn, __p___argc, terminate
                                                                api-ms-win-crt-heap-l1-1-0.dllmalloc, _set_new_mode, calloc, _callnewh, free, realloc
                                                                api-ms-win-crt-convert-l1-1-0.dllstrtoll, strtoul, strtoull, strtol, strtod, atoi
                                                                api-ms-win-crt-environment-l1-1-0.dllgetenv
                                                                api-ms-win-crt-stdio-l1-1-0.dll_lseeki64, fclose, fflush, _get_stream_buffer_pointers, fgetpos, fgets, fputc, fread, fsetpos, _fseeki64, fwrite, _pclose, _popen, ungetc, __stdio_common_vsprintf, _set_fmode, __acrt_iob_func, __p__commode, ftell, _open, _close, _write, _read, fseek, feof, __stdio_common_vsscanf, fputs, fopen, setvbuf, fgetc
                                                                api-ms-win-crt-filesystem-l1-1-0.dll_lock_file, _unlock_file, _fstat64, _stat64, _access, _unlink
                                                                api-ms-win-crt-time-l1-1-0.dll_gmtime64, strftime, _localtime64, _time64
                                                                api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale, ___lc_codepage_func, localeconv
                                                                api-ms-win-crt-math-l1-1-0.dll__setusermatherr, _dclass
                                                                api-ms-win-crt-string-l1-1-0.dlltolower, strpbrk, strncpy, strcmp, strcspn, strspn, isupper, _strdup, strncmp
                                                                api-ms-win-crt-utility-l1-1-0.dllqsort
                                                                ADVAPI32.dllCryptDestroyKey, CryptHashData, CryptCreateHash, CryptGenRandom, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA, ConvertSidToStringSidA, CryptEncrypt, CryptImportKey, CopySid, SetSecurityInfo, IsValidSid, InitializeAcl, GetTokenInformation, GetLengthSid, AddAccessAllowedAce, CryptDestroyHash, OpenProcessToken
                                                                SHELL32.dllShellExecuteA

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 17, 2024 19:12:57.905275106 CET49708443192.168.2.5104.26.0.5
                                                                Nov 17, 2024 19:12:57.905325890 CET44349708104.26.0.5192.168.2.5
                                                                Nov 17, 2024 19:12:57.905436039 CET49708443192.168.2.5104.26.0.5
                                                                Nov 17, 2024 19:12:57.916625023 CET49708443192.168.2.5104.26.0.5
                                                                Nov 17, 2024 19:12:57.916645050 CET44349708104.26.0.5192.168.2.5
                                                                Nov 17, 2024 19:12:58.553987026 CET44349708104.26.0.5192.168.2.5
                                                                Nov 17, 2024 19:12:58.554088116 CET49708443192.168.2.5104.26.0.5
                                                                Nov 17, 2024 19:12:59.210649967 CET49708443192.168.2.5104.26.0.5
                                                                Nov 17, 2024 19:12:59.210676908 CET44349708104.26.0.5192.168.2.5
                                                                Nov 17, 2024 19:12:59.210884094 CET49708443192.168.2.5104.26.0.5
                                                                Nov 17, 2024 19:12:59.211134911 CET44349708104.26.0.5192.168.2.5
                                                                Nov 17, 2024 19:12:59.211209059 CET49708443192.168.2.5104.26.0.5
                                                                Nov 17, 2024 19:13:01.331581116 CET4971280192.168.2.5208.95.112.1
                                                                Nov 17, 2024 19:13:01.336375952 CET8049712208.95.112.1192.168.2.5
                                                                Nov 17, 2024 19:13:01.336469889 CET4971280192.168.2.5208.95.112.1
                                                                Nov 17, 2024 19:13:01.337392092 CET4971280192.168.2.5208.95.112.1
                                                                Nov 17, 2024 19:13:01.342139006 CET8049712208.95.112.1192.168.2.5
                                                                Nov 17, 2024 19:13:01.928514957 CET8049712208.95.112.1192.168.2.5
                                                                Nov 17, 2024 19:13:01.981132984 CET4971280192.168.2.5208.95.112.1
                                                                Nov 17, 2024 19:13:19.213017941 CET4971280192.168.2.5208.95.112.1

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 17, 2024 19:12:57.889467955 CET6451253192.168.2.51.1.1.1
                                                                Nov 17, 2024 19:12:57.900465012 CET53645121.1.1.1192.168.2.5
                                                                Nov 17, 2024 19:13:01.298559904 CET5628953192.168.2.51.1.1.1
                                                                Nov 17, 2024 19:13:01.305490017 CET53562891.1.1.1192.168.2.5

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Nov 17, 2024 19:12:57.889467955 CET192.168.2.51.1.1.10x24ceStandard query (0)keyauth.winA (IP address)IN (0x0001)false
                                                                Nov 17, 2024 19:13:01.298559904 CET192.168.2.51.1.1.10x6135Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Nov 17, 2024 19:12:57.900465012 CET1.1.1.1192.168.2.50x24ceNo error (0)keyauth.win104.26.0.5A (IP address)IN (0x0001)false
                                                                Nov 17, 2024 19:12:57.900465012 CET1.1.1.1192.168.2.50x24ceNo error (0)keyauth.win104.26.1.5A (IP address)IN (0x0001)false
                                                                Nov 17, 2024 19:12:57.900465012 CET1.1.1.1192.168.2.50x24ceNo error (0)keyauth.win172.67.72.57A (IP address)IN (0x0001)false
                                                                Nov 17, 2024 19:13:01.305490017 CET1.1.1.1192.168.2.50x6135No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • ip-api.com

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.549712208.95.112.180764C:\Windows\msedge.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 17, 2024 19:13:01.337392092 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                Host: ip-api.com
                                                                Connection: Keep-Alive
                                                                Nov 17, 2024 19:13:01.928514957 CET174INHTTP/1.1 200 OK
                                                                Date: Sun, 17 Nov 2024 18:13:01 GMT
                                                                Content-Type: text/plain; charset=utf-8
                                                                Content-Length: 5
                                                                Access-Control-Allow-Origin: *
                                                                X-Ttl: 60
                                                                X-Rl: 44
                                                                Data Raw: 74 72 75 65 0a
                                                                Data Ascii: true


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:13:12:54
                                                                Start date:17/11/2024
                                                                Path:C:\Users\user\Desktop\IAdjMfB2A5.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\Desktop\IAdjMfB2A5.exe"
                                                                Imagebase:0x7ff6743c0000
                                                                File size:887'808 bytes
                                                                MD5 hash:A8BD5B655845BA8A23A38ABFD7E1BB03
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2025716296.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000000.2025716296.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2025716296.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:13:12:54
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:13:12:54
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c taskkill /IM EpicGamesLauncher.exe /F
                                                                Imagebase:0x7ff7032c0000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:13:12:54
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\taskkill.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:taskkill /IM EpicGamesLauncher.exe /F
                                                                Imagebase:0x7ff7cd5b0000
                                                                File size:101'376 bytes
                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:13:12:54
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c taskkill /IM FortniteClient-Win64-Shipping_BE.exe /F
                                                                Imagebase:0x7ff7032c0000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:13:12:54
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\taskkill.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:taskkill /IM FortniteClient-Win64-Shipping_BE.exe /F
                                                                Imagebase:0x7ff7cd5b0000
                                                                File size:101'376 bytes
                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:13:12:54
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c taskkill /IM FortniteClient-Win64-Shipping.exe /F
                                                                Imagebase:0x7ff7032c0000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:13:12:54
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\taskkill.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:taskkill /IM FortniteClient-Win64-Shipping.exe /F
                                                                Imagebase:0x7ff7cd5b0000
                                                                File size:101'376 bytes
                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:13:12:55
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c taskkill /IM x64dbg.exe
                                                                Imagebase:0x7ff7032c0000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:13:12:55
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\taskkill.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:taskkill /IM x64dbg.exe
                                                                Imagebase:0x7ff7cd5b0000
                                                                File size:101'376 bytes
                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:13:12:55
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c cls
                                                                Imagebase:0x7ff7032c0000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:13:12:55
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c start C:\Windows\msedge.exe
                                                                Imagebase:0x7ff7032c0000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:13:12:55
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\msedge.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\msedge.exe
                                                                Imagebase:0xa80000
                                                                File size:208'896 bytes
                                                                MD5 hash:4738E3496A3EFE5F19C57B764EB5BA9B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000D.00000000.2036559031.0000000000A82000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000D.00000000.2036559031.0000000000A82000.00000002.00000001.01000000.00000004.sdmp, Author: ditekSHen
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000D.00000002.2264433685.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Windows\msedge.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\msedge.exe, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\msedge.exe, Author: ditekSHen
                                                                Antivirus matches:
                                                                • Detection: 100%, Avira
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 88%, ReversingLabs
                                                                Has exited:true

                                                                General

                                                                Target ID:14
                                                                Start time:13:12:55
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\IAdjMfB2A5.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
                                                                Imagebase:0x7ff7032c0000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:15
                                                                Start time:13:12:55
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\certutil.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:certutil -hashfile "C:\Users\user\Desktop\IAdjMfB2A5.exe" MD5
                                                                Imagebase:0x7ff66fa20000
                                                                File size:1'651'712 bytes
                                                                MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:13:12:55
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\find.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:find /i /v "md5"
                                                                Imagebase:0x7ff799250000
                                                                File size:17'920 bytes
                                                                MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:17
                                                                Start time:13:12:55
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\find.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:find /i /v "certutil"
                                                                Imagebase:0x7ff799250000
                                                                File size:17'920 bytes
                                                                MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:18
                                                                Start time:13:12:58
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
                                                                Imagebase:0x7ff7032c0000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:19
                                                                Start time:13:12:58
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
                                                                Imagebase:0x7ff7032c0000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:20
                                                                Start time:13:12:58
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:23
                                                                Start time:13:12:58
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\timeout.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:timeout /t 5
                                                                Imagebase:0x7ff6b62e0000
                                                                File size:32'768 bytes
                                                                MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:24
                                                                Start time:13:12:58
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\WerFault.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\WerFault.exe -u -p 4324 -s 844
                                                                Imagebase:0x7ff709aa0000
                                                                File size:570'736 bytes
                                                                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:26
                                                                Start time:13:13:01
                                                                Start date:17/11/2024
                                                                Path:C:\Windows\System32\WerFault.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\WerFault.exe -u -p 764 -s 1576
                                                                Imagebase:0x7ff709aa0000
                                                                File size:570'736 bytes
                                                                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Non-executed Functions

                                                                  Function 00007FF67443E718 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF67443E79B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: DebugDebuggerErrorLastOutputPresentString
                                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                  • API String ID: 389471666-631824599
                                                                  • Opcode ID: efa73ef24f490e5faadbf87a12d7fc140c6277bf11a4108ea5f1b8eeb10ccb23
                                                                  • Instruction ID: 798e56cbfb58f9a537ee2235ef8a48842e3c5613334f6fa26b695334f2eb1c86
                                                                  • Opcode Fuzzy Hash: efa73ef24f490e5faadbf87a12d7fc140c6277bf11a4108ea5f1b8eeb10ccb23
                                                                  • Instruction Fuzzy Hash: 40112837A24B82D6F7449B27D6883B922A0FB54B54F644135C64D82A58EF3CE4B4D700
                                                                  Function 00007FF67443E590 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: befe21f4c5dc23c4ebd0ff9711a4a20b5c330c8d710a54ff45fcbedc6c1aadbf
                                                                  • Instruction ID: 198aa1f94587b5217f7fe30e01fae770a5c813f3095cf8fab5265448f5ee01fe
                                                                  • Opcode Fuzzy Hash: befe21f4c5dc23c4ebd0ff9711a4a20b5c330c8d710a54ff45fcbedc6c1aadbf
                                                                  • Instruction Fuzzy Hash: D5111C23B25B01C9EB008F65E8992B833B4FB19758F540A31DA6D867ACDF78E1549340
                                                                  Function 00007FF67443D5C0 Relevance: 4.7, APIs: 3, Instructions: 199COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF6743D4A90,?,?,00000000,?,?,?,00007FF6743D3AD8), ref: 00007FF67443D5DA
                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67443D5F0
                                                                    • Part of subcall function 00007FF67443E340: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF67443E349
                                                                    • Part of subcall function 00007FF67443E340: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF67443D5F5,?,?,7FFFFFFFFFFFFFFF,00007FF6743D4A90,?,?,00000000), ref: 00007FF67443E35A
                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67443D5F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Concurrency::cancel_current_task$ExceptionThrowmallocstd::bad_alloc::bad_alloc
                                                                  • String ID:
                                                                  • API String ID: 594857686-0
                                                                  • Opcode ID: 89de3611bbd22a04dd2e464d5e73be7467ef264a3b1ebb628240589f6e9e47d0
                                                                  • Instruction ID: b53c6194766a92472f1fec15fd1ec1ab4daba3097e000cdec434a49a35f0e3bc
                                                                  • Opcode Fuzzy Hash: 89de3611bbd22a04dd2e464d5e73be7467ef264a3b1ebb628240589f6e9e47d0
                                                                  • Instruction Fuzzy Hash: 1F8180B3E28602D9FB188F37A59A36836A0EB04764F614639D97DD77DCCE3DA050A740
                                                                  Function 00007FF67443E080 Relevance: 4.5, APIs: 3, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(?,?,00000000,00007FF67443E181,?,?,?,?,?,?,00007FF6743C1E88,?,?,?,?,00000000), ref: 00007FF67443E08B
                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,00000000,00007FF67443E181,?,?,?,?,?,?,00007FF6743C1E88,?,?,?,?,00000000), ref: 00007FF67443E094
                                                                  • GetCurrentProcess.KERNEL32(?,?,00000000,00007FF67443E181,?,?,?,?,?,?,00007FF6743C1E88,?,?,?,?,00000000), ref: 00007FF67443E09A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled$CurrentProcess
                                                                  • String ID:
                                                                  • API String ID: 1249254920-0
                                                                  • Opcode ID: f1ad5929439ef94b6048dd707d84ac0956b270ff5b3e313ef43f2b37e6e4d1c1
                                                                  • Instruction ID: 2afe4c6494c497f3807dd41f8c250dc7a208827a3ee7b09c6b69dd7482448315
                                                                  • Opcode Fuzzy Hash: f1ad5929439ef94b6048dd707d84ac0956b270ff5b3e313ef43f2b37e6e4d1c1
                                                                  • Instruction Fuzzy Hash: 86D09262A68A06C7FB182FA7A89E0355270EB58BD1F241034CA0AD676D9D3C94859304
                                                                  Function 00007FF67446580B Relevance: 1.5, Instructions: 1461COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmp, Offset: 00007FF674462000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f73c2ce1b8d0121abec82051c976c9bf014e1a5efc0b6d7ba5803e4b57889c2f
                                                                  • Instruction ID: 3ddcb6c086307d10b691b5a043ef80dfad9a936309ff43ed0a992957e4f7ebde
                                                                  • Opcode Fuzzy Hash: f73c2ce1b8d0121abec82051c976c9bf014e1a5efc0b6d7ba5803e4b57889c2f
                                                                  • Instruction Fuzzy Hash: 26D24B7240E3C29FD7538B7498A55917FB0EF1721471E48EBC4C0CF4A7EA28695ADB22
                                                                  Function 00007FF6743C1820 Relevance: 1.3, APIs: 1, Instructions: 55memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32 ref: 00007FF6743C1903
                                                                    • Part of subcall function 00007FF67443DE1C: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF6743C18E3), ref: 00007FF67443DE2C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AcquireExclusiveHeapLockProcess
                                                                  • String ID:
                                                                  • API String ID: 3110430671-0
                                                                  • Opcode ID: df42efb74d82000628d15a2dbe70ec8a756d7954f4d67cf56d0c77babbb7ee05
                                                                  • Instruction ID: 273e1e4a499eb9de7e82b5b118764062c8fdfe6400853ed4646a54a11405a5a3
                                                                  • Opcode Fuzzy Hash: df42efb74d82000628d15a2dbe70ec8a756d7954f4d67cf56d0c77babbb7ee05
                                                                  • Instruction Fuzzy Hash: C031B963D39B03C5FA00DB26E9CC2B422A4EF54364FA14639D45DC22ADDF3DA5A5B740
                                                                  Function 00007FF6743C1000 Relevance: .5, Instructions: 462COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a08ebf1029983b58944e7f62e1c62f80f3ce8b79c0b4143d515b35457e242be
                                                                  • Instruction ID: 9347bcbef6a5f63759d94abfc9b841029c9bf4771d7a84e4246a3c78ffd4a1e8
                                                                  • Opcode Fuzzy Hash: 2a08ebf1029983b58944e7f62e1c62f80f3ce8b79c0b4143d515b35457e242be
                                                                  • Instruction Fuzzy Hash: EA123917D3EB928AF7035737A4421A0D2549FA32C5F91D333F9587596AFF2EB182A204
                                                                  Function 00007FF6743D5550 Relevance: .1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
                                                                  • Instruction ID: 9fcc64f34324c9ca55253b117b242c3dda2f063b7217900d6a53f823404edb77
                                                                  • Opcode Fuzzy Hash: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
                                                                  • Instruction Fuzzy Hash: E4417373B2554487E78CCE2AC8566AD33A3F399344F55C23EEA0AC7385DE399905CB44
                                                                  Function 00007FF6743D3D00 Relevance: 13.6, APIs: 9, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6743D3D4D
                                                                  • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF6743D3D6D
                                                                  • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6743D3D7D
                                                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6743D3DDD
                                                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6743D3E06
                                                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6743D3E3D
                                                                  • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6743D3E81
                                                                  • ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF6743D3E88
                                                                  • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF6743D3E95
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?good@ios_base@std@@$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                                  • String ID:
                                                                  • API String ID: 834659371-0
                                                                  • Opcode ID: b2e21623810db7a124a264fe541e86641703e3ccdc12770319e8d78b22795c84
                                                                  • Instruction ID: 4f9eaade1d5b68bad335b75440bd3cfcf033fc10ac5fde1288d517e826611e7a
                                                                  • Opcode Fuzzy Hash: b2e21623810db7a124a264fe541e86641703e3ccdc12770319e8d78b22795c84
                                                                  • Instruction Fuzzy Hash: EA513E33619A81C6DB108F1AD5D8278A7A0FB85F95B258536CE5E877A4CF3CD8568B00
                                                                  Function 00007FF6743C1C10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 176COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FF6743D3780: memcpy.VCRUNTIME140(?,?,?,?,?,0000006E00000006,?,00007FF6743C11CF), ref: 00007FF6743D3871
                                                                    • Part of subcall function 00007FF6743D3780: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,0000006E00000006,?,00007FF6743C11CF), ref: 00007FF6743D3850
                                                                    • Part of subcall function 00007FF6743D3780: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6743D388C
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00000000,?,0000006E00000006,00000000,00000000,00000000,00007FF6743C17D7), ref: 00007FF6743C1E97
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00000000,?,0000006E00000006,00000000,00000000,00000000,00007FF6743C17D7), ref: 00007FF6743C1E9E
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00000000,?,0000006E00000006,00000000,00000000,00000000,00007FF6743C17D7), ref: 00007FF6743C1EA5
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00000000,?,0000006E00000006,00000000,00000000,00000000,00007FF6743C17D7), ref: 00007FF6743C1EAC
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00000000,?,0000006E00000006,00000000,00000000,00000000,00007FF6743C17D7), ref: 00007FF6743C1EB3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskmemcpy
                                                                  • String ID: 1.0$QrvAn5W90r
                                                                  • API String ID: 2318677668-3410241493
                                                                  • Opcode ID: ae9df0ee8d06a071812cf8d42f62ee3795a700449507e5e22c8c312d6b43ac69
                                                                  • Instruction ID: 958f76b735bfa53aeea79df469ef82bad6b11b64219cba27a93bae23c8b2b004
                                                                  • Opcode Fuzzy Hash: ae9df0ee8d06a071812cf8d42f62ee3795a700449507e5e22c8c312d6b43ac69
                                                                  • Instruction Fuzzy Hash: B3719B63A28B86D5EA00DB26E9DC37D3761EB11BC0F514135CA4D87AAADF7DE490E340
                                                                  Function 00007FF6743D49E0 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcpy.VCRUNTIME140(?,?,00000000,?,?,?,00007FF6743D3AD8), ref: 00007FF6743D4AD5
                                                                  • memcpy.VCRUNTIME140(?,?,00000000,?,?,?,00007FF6743D3AD8), ref: 00007FF6743D4AE3
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,?,?,00007FF6743D3AD8), ref: 00007FF6743D4B1C
                                                                  • memcpy.VCRUNTIME140(?,?,00000000,?,?,?,00007FF6743D3AD8), ref: 00007FF6743D4B34
                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6743D4B69
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                  • String ID:
                                                                  • API String ID: 1775671525-0
                                                                  • Opcode ID: cf1416afd1557f87ceb7534b6a9f55f61857176c02e062c450e81c782455fc54
                                                                  • Instruction ID: 3c38ab699d99879a84ae9a029022fe407fadce0d0cf4f269806ea02ed91344ac
                                                                  • Opcode Fuzzy Hash: cf1416afd1557f87ceb7534b6a9f55f61857176c02e062c450e81c782455fc54
                                                                  • Instruction Fuzzy Hash: 1B41EF63B29A41C1EE149B27E4883696361FF54FE4F684631DE9D8B789DE3CE0418704
                                                                  Function 00007FF6743C24E0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 255COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Random_device@std@@_invalid_parameter_noinfo_noreturnmemcpy
                                                                  • String ID: 0$0123456789ABCDEF
                                                                  • API String ID: 1588066297-1037189808
                                                                  • Opcode ID: c17d26ee15d417622c6f8e8dc65713a4ffe66d4b0c47e977027765c8bad6113c
                                                                  • Instruction ID: f8722bc0b9d13cbf4ab97c269ba1270d36bf02d6f6282232c9caf3b8e340ad4e
                                                                  • Opcode Fuzzy Hash: c17d26ee15d417622c6f8e8dc65713a4ffe66d4b0c47e977027765c8bad6113c
                                                                  • Instruction Fuzzy Hash: E1B1BC73A14A85C2EB149F26D5983AD3762EB41FD8F848236DA4D4BB9ADF78D490C340
                                                                  Function 00007FF6743C2900 Relevance: 6.1, APIs: 4, Instructions: 114sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Sleep$Query_perf_counterQuery_perf_frequency
                                                                  • String ID:
                                                                  • API String ID: 1739919806-0
                                                                  • Opcode ID: 3568cd39b5aeb5b53747b2c4026d7cf8647a81fa5c13d4a43e498fcd169539c5
                                                                  • Instruction ID: 319a6ef2764ddb07b2d7e81393e4701b420374a32c232a623b26985b853891af
                                                                  • Opcode Fuzzy Hash: 3568cd39b5aeb5b53747b2c4026d7cf8647a81fa5c13d4a43e498fcd169539c5
                                                                  • Instruction Fuzzy Hash: B841E763B19786C1DE148B17B4590799355FB88BF0F185232DE9E4B7D9DD3CE1419700
                                                                  Function 00007FF6743D4880 Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                  • String ID:
                                                                  • API String ID: 1775671525-0
                                                                  • Opcode ID: 666e4a07cfed549dea8bbb4ed3d748ab6048889186f608eaaf0296d9ae4188ec
                                                                  • Instruction ID: c78bc9812e7e6d5d2788a13e4d9e926399e621d507500b9d8bbc356ffe7fa01e
                                                                  • Opcode Fuzzy Hash: 666e4a07cfed549dea8bbb4ed3d748ab6048889186f608eaaf0296d9ae4188ec
                                                                  • Instruction Fuzzy Hash: A631CD63B28B8184FE14DF27A1883696292AB14BF4F644675DAAD47BCDDE3CE091D304
                                                                  Function 00007FF6743D3660 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcpy.VCRUNTIME140(?,0000006E00000006,?,00007FF6743C11CF), ref: 00007FF6743D36C1
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0000006E00000006,?,00007FF6743C11CF), ref: 00007FF6743D3730
                                                                    • Part of subcall function 00007FF67443D5C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF6743D4A90,?,?,00000000,?,?,?,00007FF6743D3AD8), ref: 00007FF67443D5DA
                                                                  • memcpy.VCRUNTIME140(?,0000006E00000006,?,00007FF6743C11CF), ref: 00007FF6743D3753
                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6743D3778
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2069211697.00007FF6743C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6743C0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2069196140.00007FF6743C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069259808.00007FF674441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069285543.00007FF674462000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069316674.00007FF674495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2069333954.00007FF674497000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6743c0000_IAdjMfB2A5.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                  • String ID:
                                                                  • API String ID: 1155477157-0
                                                                  • Opcode ID: 8a7ffb634c21d4100efd349b4004451c11d6e23b80e2f98aac4077b79647fb63
                                                                  • Instruction ID: 55caad76b58c60570589967b2f2f9b3b1a5b83db9e39e639d571295097665f0a
                                                                  • Opcode Fuzzy Hash: 8a7ffb634c21d4100efd349b4004451c11d6e23b80e2f98aac4077b79647fb63
                                                                  • Instruction Fuzzy Hash: E131D863A29B82C5FA145F63A4843A92290EF04BF4F280735DB7D477D6DE7CE4929740

                                                                  Execution Graph

                                                                  Execution Coverage:10.8%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:50%
                                                                  Total number of Nodes:6
                                                                  Total number of Limit Nodes:0

                                                                  Executed Functions

                                                                  Function 00007FF848E1764A Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 29 7ff848e1764a-7ff848e17b0d CheckRemoteDebuggerPresent 33 7ff848e17b0f 29->33 34 7ff848e17b15-7ff848e17b58 29->34 33->34
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.2265288915.00007FF848E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_13_2_7ff848e10000_msedge.jbxd
                                                                  Similarity
                                                                  • API ID: CheckDebuggerPresentRemote
                                                                  • String ID:
                                                                  • API String ID: 3662101638-0
                                                                  • Opcode ID: 2abb2d664f14f07f292da73e4a112d6f46674e3453272131a238ca033765ba00
                                                                  • Instruction ID: 70ef75914c9cf870d2b90b78f53903d135addc495b1845c44c368365a0af3a97
                                                                  • Opcode Fuzzy Hash: 2abb2d664f14f07f292da73e4a112d6f46674e3453272131a238ca033765ba00
                                                                  • Instruction Fuzzy Hash: D331D231908A1C8FDB58EF5CC88A7F97BE0FF65311F04412AD48AD7241DB70A856CB91
                                                                  Function 00007FF848E17A6F Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 36 7ff848e17a6f-7ff848e17b0d CheckRemoteDebuggerPresent 39 7ff848e17b0f 36->39 40 7ff848e17b15-7ff848e17b58 36->40 39->40
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.2265288915.00007FF848E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_13_2_7ff848e10000_msedge.jbxd
                                                                  Similarity
                                                                  • API ID: CheckDebuggerPresentRemote
                                                                  • String ID:
                                                                  • API String ID: 3662101638-0
                                                                  • Opcode ID: 5c32c8ebc54767a9f92215584314bafe07ba97f489278880465ffe1ca1246703
                                                                  • Instruction ID: 70954cdca69a7e04c0c67dea42019e802e6da43b0ac61664cd12552951681062
                                                                  • Opcode Fuzzy Hash: 5c32c8ebc54767a9f92215584314bafe07ba97f489278880465ffe1ca1246703
                                                                  • Instruction Fuzzy Hash: D131B231908A1C8FCB58DF5CD8867F97BE1FF65311F04416AD489D7241DB70A856CB91