Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
USE INCASE OF A SEVERE FORKIE.exe

Overview

General Information

Sample name:USE INCASE OF A SEVERE FORKIE.exe
Analysis ID:1640029
MD5:f6dc48cb4911eaa1c1932ac896c99ea3
SHA1:0eb1bc7de15a704fc2a93deee8a844efc1b3a759
SHA256:13ada6aa3a732313040f1b3c8c694c58a14228d17604f9df98ba818daa8f6b22
Tags:diskwriterexekillmbrskidtrojanuser-2huMarisa
Infos:

Detection

Babadeda
Score:100
Range:0 - 100
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Babadeda
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Infects the VBR (Volume Boot Record) of the hard disk
Joe Sandbox ML detected suspicious sample
Sample or dropped binary is a compiled AutoHotkey binary
Writes directly to the primary disk partition (DR0)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
OS version to string mapping found (often used in BOTs)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • USE INCASE OF A SEVERE FORKIE.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe" MD5: F6DC48CB4911EAA1C1932AC896C99EA3)
    • cmd.exe (PID: 5644 cmdline: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\EE27.tmp\EE37.tmp\EE38.bat "C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • mbr.exe (PID: 4908 cmdline: mbr.exe MD5: 2C7B90466A55D23E795EC70DBE20F23B)
      • meth.exe (PID: 1440 cmdline: meth.exe MD5: EA98448B2C0EAA773F5E10C4C9DFF7AD)
  • LogonUI.exe (PID: 1448 cmdline: "LogonUI.exe" /flags:0x4 /state0:0xa380c055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 7692 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3810055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • fontdrvhost.exe (PID: 7724 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 3992 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa381d055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • fontdrvhost.exe (PID: 5640 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 6296 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3824855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • fontdrvhost.exe (PID: 6216 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 7184 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa382c055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • fontdrvhost.exe (PID: 3372 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BabadedaAccording to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus users.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
USE INCASE OF A SEVERE FORKIE.exeJoeSecurity_BabadedaYara detected BabadedaJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.0.USE INCASE OF A SEVERE FORKIE.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security
      0.2.USE INCASE OF A SEVERE FORKIE.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Execution of Suspicious File Type Extension
        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cdd.dll, NewProcessName: C:\Windows\System32\cdd.dll, OriginalFileName: C:\Windows\System32\cdd.dll, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: cdd.dll

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Roaming\mbr.exeReversingLabs: Detection: 43%
        Multi AV Scanner detection for submitted file
        Source: USE INCASE OF A SEVERE FORKIE.exeVirustotal: Detection: 47%Perma Link
        Source: USE INCASE OF A SEVERE FORKIE.exeReversingLabs: Detection: 55%
        Joe Sandbox ML detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.6% probability

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeUnpacked PE file: 0.2.USE INCASE OF A SEVERE FORKIE.exe.400000.0.unpack
        Source: USE INCASE OF A SEVERE FORKIE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400ACC30 FindFirstFileW,FindClose,FindFirstFileW,FindClose,5_2_00000001400ACC30
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014003C310 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,5_2_000000014003C310
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140066790 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,5_2_0000000140066790
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140080A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,5_2_0000000140080A30
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140066AD0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,malloc,5_2_0000000140066AD0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400ACB30 GetFileAttributesW,FindFirstFileW,FindClose,5_2_00000001400ACB30
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140081020 GetFileAttributesW,FindFirstFileW,FindClose,5_2_0000000140081020
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140067120 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,5_2_0000000140067120
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile opened: C:\Users\user\AppData\Local\Temp\EE27.tmpJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile opened: C:\Users\user\AppData\Local\Temp\EE27.tmp\EE37.tmpJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile opened: C:\Users\user\AppData\Local\Temp\EE27.tmp\EE37.tmp\EE38.tmpJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014007D890 _wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,fclose,DeleteFileW,5_2_000000014007D890
        Source: global trafficDNS traffic detected: DNS query: api.msn.com
        Source: meth.exe, meth.exe, 00000005.00000002.1258730306.00000001400DE000.00000002.00000001.01000000.00000006.sdmp, meth.exe, 00000005.00000000.1254953461.00000001400DE000.00000002.00000001.01000000.00000006.sdmp, meth.exe.0.drString found in binary or memory: https://autohotkey.com
        Source: USE INCASE OF A SEVERE FORKIE.exe, 00000000.00000003.1251966125.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, meth.exe, 00000005.00000002.1258730306.00000001400DE000.00000002.00000001.01000000.00000006.sdmp, meth.exe, 00000005.00000000.1254953461.00000001400DE000.00000002.00000001.01000000.00000006.sdmp, meth.exe.0.drString found in binary or memory: https://autohotkey.comCould
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140006500 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard,5_2_0000000140006500
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140006160 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalFree,5_2_0000000140006160
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400AF920 EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,5_2_00000001400AF920
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400063E0 GetClipboardFormatNameW,GetClipboardData,5_2_00000001400063E0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140054720 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetSystemMetrics,GetSystemMetrics,wcsncpy,GetDC,DestroyIcon,DeleteObject,GetIconInfo,CreateCompatibleDC,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,malloc,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,malloc,5_2_0000000140054720
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400162F0 GetTickCount,PeekMessageW,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,5_2_00000001400162F0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140001B0C GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,PostMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,KillTimer,5_2_0000000140001B0C

        Operating System Destruction

        barindex
        Contains functionality to access PhysicalDrive, possible boot sector overwrite
        Source: C:\Users\user\AppData\Roaming\mbr.exeCode function: 3_2_00401530 CreateFileW on filename \\.\PhysicalDrive03_2_00401530

        System Summary

        barindex
        Sample or dropped binary is a compiled AutoHotkey binary
        Source: C:\Users\user\AppData\Roaming\meth.exeWindow found: window name: AutoHotkeyJump to behavior
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014005EF20: CreateFileW,DeviceIoControl,CloseHandle,5_2_000000014005EF20
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400810A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,5_2_00000001400810A0
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_0040C8980_2_0040C898
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_0040E9500_2_0040E950
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_004109100_2_00410910
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_004109D90_2_004109D9
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_004105E00_2_004105E0
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_004115800_2_00411580
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_004109930_2_00410993
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_004106000_2_00410600
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_0040B3470_2_0040B347
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_0040F3C80_2_0040F3C8
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014001E3005_2_000000014001E300
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014001EB205_2_000000014001EB20
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014000CF405_2_000000014000CF40
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400052205_2_0000000140005220
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014001F2F05_2_000000014001F2F0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014001F9095_2_000000014001F909
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400559405_2_0000000140055940
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140001B0C5_2_0000000140001B0C
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014001FD0E5_2_000000014001FD0E
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001401240005_2_0000000140124000
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014007C02F5_2_000000014007C02F
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400700505_2_0000000140070050
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400D80645_2_00000001400D8064
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400281105_2_0000000140028110
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014000A1105_2_000000014000A110
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400501255_2_0000000140050125
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014005C1305_2_000000014005C130
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014004C1505_2_000000014004C150
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400581905_2_0000000140058190
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400741B05_2_00000001400741B0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400761F05_2_00000001400761F0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400802205_2_0000000140080220
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014005E2405_2_000000014005E240
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014009824C5_2_000000014009824C
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014002A2B05_2_000000014002A2B0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400A82E05_2_00000001400A82E0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400883505_2_0000000140088350
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014006E3705_2_000000014006E370
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400503945_2_0000000140050394
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400523A05_2_00000001400523A0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400404005_2_0000000140040400
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400484805_2_0000000140048480
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400BA52B5_2_00000001400BA52B
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014000A5305_2_000000014000A530
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014007A5605_2_000000014007A560
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400CE58C5_2_00000001400CE58C
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008E5A05_2_000000014008E5A0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400605A95_2_00000001400605A9
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400DC5EC5_2_00000001400DC5EC
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400586505_2_0000000140058650
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400BC6605_2_00000001400BC660
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400746705_2_0000000140074670
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400206705_2_0000000140020670
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400326715_2_0000000140032671
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400986915_2_0000000140098691
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400466B05_2_00000001400466B0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008C6B35_2_000000014008C6B3
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400547205_2_0000000140054720
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014004A7305_2_000000014004A730
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400BA7505_2_00000001400BA750
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400D07A05_2_00000001400D07A0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400027BB5_2_00000001400027BB
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400507C05_2_00000001400507C0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014007E8205_2_000000014007E820
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400448C05_2_00000001400448C0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014007A8D05_2_000000014007A8D0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014006C8E05_2_000000014006C8E0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400A28F05_2_00000001400A28F0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400649405_2_0000000140064940
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014009899D5_2_000000014009899D
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400929B05_2_00000001400929B0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140034A055_2_0000000140034A05
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008EA105_2_000000014008EA10
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140018A105_2_0000000140018A10
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140062A505_2_0000000140062A50
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140012A805_2_0000000140012A80
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140070AC05_2_0000000140070AC0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014005AB605_2_000000014005AB60
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140060B705_2_0000000140060B70
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140014B905_2_0000000140014B90
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014003EBB05_2_000000014003EBB0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400DCBD05_2_00000001400DCBD0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140084BF05_2_0000000140084BF0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400D4C085_2_00000001400D4C08
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014009CC405_2_000000014009CC40
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140006C505_2_0000000140006C50
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008CC805_2_000000014008CC80
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014005CC805_2_000000014005CC80
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140034C955_2_0000000140034C95
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400B0CC05_2_00000001400B0CC0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014004ECC05_2_000000014004ECC0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140056CD05_2_0000000140056CD0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140010CE05_2_0000000140010CE0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014009ECF05_2_000000014009ECF0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014005ED205_2_000000014005ED20
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140058D605_2_0000000140058D60
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140016D805_2_0000000140016D80
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014004ADB05_2_000000014004ADB0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400AEE205_2_00000001400AEE20
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140038E1C5_2_0000000140038E1C
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014007CE385_2_000000014007CE38
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140070E5D5_2_0000000140070E5D
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140050E805_2_0000000140050E80
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140062EC05_2_0000000140062EC0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008EF6D5_2_000000014008EF6D
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008EF7C5_2_000000014008EF7C
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008EF985_2_000000014008EF98
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008EFBA5_2_000000014008EFBA
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008EFDB5_2_000000014008EFDB
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014005EFF05_2_000000014005EFF0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008EFE75_2_000000014008EFE7
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008F00D5_2_000000014008F00D
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400730405_2_0000000140073040
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400990385_2_0000000140099038
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008F04E5_2_000000014008F04E
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400870815_2_0000000140087081
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014005B0A05_2_000000014005B0A0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400B70D05_2_00000001400B70D0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400910F85_2_00000001400910F8
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014003F1205_2_000000014003F120
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014007B13E5_2_000000014007B13E
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400251445_2_0000000140025144
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400891705_2_0000000140089170
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400651705_2_0000000140065170
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400531A05_2_00000001400531A0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400431A05_2_00000001400431A0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400031B45_2_00000001400031B4
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014006F1C05_2_000000014006F1C0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014004D1F05_2_000000014004D1F0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400C72105_2_00000001400C7210
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400192205_2_0000000140019220
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400692405_2_0000000140069240
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400352D65_2_00000001400352D6
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400972F05_2_00000001400972F0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400993155_2_0000000140099315
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400AB3805_2_00000001400AB380
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014001B4005_2_000000014001B400
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400AD4105_2_00000001400AD410
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400174505_2_0000000140017450
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014003F4C05_2_000000014003F4C0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400394F05_2_00000001400394F0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014005D5105_2_000000014005D510
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400855205_2_0000000140085520
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014004B5405_2_000000014004B540
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400575A05_2_00000001400575A0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400D55945_2_00000001400D5594
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400315BC5_2_00000001400315BC
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400415C05_2_00000001400415C0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008B6E05_2_000000014008B6E0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400516F05_2_00000001400516F0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400CD7005_2_00000001400CD700
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014004F7055_2_000000014004F705
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014006D7205_2_000000014006D720
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400D17145_2_00000001400D1714
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400B17405_2_00000001400B1740
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400637405_2_0000000140063740
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014006B7705_2_000000014006B770
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014004D7705_2_000000014004D770
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400D57BC5_2_00000001400D57BC
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400937F05_2_00000001400937F0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014002B7F05_2_000000014002B7F0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014005F7F25_2_000000014005F7F2
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014003D8305_2_000000014003D830
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014007D8905_2_000000014007D890
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400498E05_2_00000001400498E0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014004B9105_2_000000014004B910
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014000D9A05_2_000000014000D9A0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014004F9BC5_2_000000014004F9BC
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400619D05_2_00000001400619D0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014005B9D05_2_000000014005B9D0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400139F05_2_00000001400139F0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140033A785_2_0000000140033A78
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140039AE55_2_0000000140039AE5
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014004DB7B5_2_000000014004DB7B
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014002FBA05_2_000000014002FBA0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014000FBA05_2_000000014000FBA0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140095BCB5_2_0000000140095BCB
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140095BD95_2_0000000140095BD9
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014007FBF05_2_000000014007FBF0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140095BE45_2_0000000140095BE4
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140045C3B5_2_0000000140045C3B
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014007DC605_2_000000014007DC60
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140095CA05_2_0000000140095CA0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140049CB05_2_0000000140049CB0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014004BCB05_2_000000014004BCB0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140095CB95_2_0000000140095CB9
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140095CC15_2_0000000140095CC1
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140095CD75_2_0000000140095CD7
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140059D105_2_0000000140059D10
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140079DD05_2_0000000140079DD0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140097E205_2_0000000140097E20
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014009BE505_2_000000014009BE50
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140097F0B5_2_0000000140097F0B
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140045F5B5_2_0000000140045F5B
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140071F805_2_0000000140071F80
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: String function: 00000001400C8EDC appears 390 times
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: String function: 000000014003FE00 appears 59 times
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: String function: 0000000140040150 appears 454 times
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: String function: 00000001400C9134 appears 59 times
        Source: mbr.exe.0.drStatic PE information: Number of sections : 17 > 10
        Source: USE INCASE OF A SEVERE FORKIE.exe, 00000000.00000003.1251966125.0000000002C7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs USE INCASE OF A SEVERE FORKIE.exe
        Source: unknownDriver loaded: C:\Windows\System32\cdd.dll
        Source: USE INCASE OF A SEVERE FORKIE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: classification engineClassification label: mal100.troj.evad.winEXE@17/4@1/0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400415C0 CreateProcessW,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,CloseHandle,GetLastError,FormatMessageW,5_2_00000001400415C0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400810A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,5_2_00000001400810A0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400605A9 wcsncpy,GetDiskFreeSpaceW,GetLastError,malloc,5_2_00000001400605A9
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140081330 CreateToolhelp32Snapshot,Process32FirstW,_wcstoi64,Process32NextW,Process32NextW,CloseHandle,CloseHandle,CloseHandle,5_2_0000000140081330
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014007E820 CoInitialize,CoCreateInstance,malloc,malloc,malloc,malloc,malloc,malloc,CoUninitialize,5_2_000000014007E820
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_004026B8 LoadResource,SizeofResource,FreeResource,0_2_004026B8
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile created: C:\Users\user\AppData\Roaming\mbr.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3716:120:WilError_03
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile created: C:\Users\user\AppData\Local\Temp\EE27.tmpJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\EE27.tmp\EE37.tmp\EE38.bat "C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe""
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: USE INCASE OF A SEVERE FORKIE.exeVirustotal: Detection: 47%
        Source: USE INCASE OF A SEVERE FORKIE.exeReversingLabs: Detection: 55%
        Source: unknownProcess created: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe "C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe"
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\EE27.tmp\EE37.tmp\EE38.bat "C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\mbr.exe mbr.exe
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\meth.exe meth.exe
        Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x4 /state0:0xa380c055 /state1:0x41c64e6d
        Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3810055 /state1:0x41c64e6d
        Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
        Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa381d055 /state1:0x41c64e6d
        Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
        Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3824855 /state1:0x41c64e6d
        Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
        Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa382c055 /state1:0x41c64e6d
        Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\EE27.tmp\EE37.tmp\EE38.bat "C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe""Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\mbr.exe mbr.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\meth.exe meth.exeJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\mbr.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\meth.exeSection loaded: wsock32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\meth.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\meth.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\meth.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\meth.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\meth.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\meth.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\meth.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\meth.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.logon.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wincorlib.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dcomp.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xamlhost.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: mrmcorer.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windowmanagementapi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: inputhost.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: languageoverlayutil.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47mrm.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.immersive.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d10warp.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.globalization.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dxcore.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: d2d1.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: directmanipulation.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.controls.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: uiautomationcore.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior

        Data Obfuscation

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeUnpacked PE file: 0.2.USE INCASE OF A SEVERE FORKIE.exe.400000.0.unpack
        Yara detected Babadeda
        Source: Yara matchFile source: USE INCASE OF A SEVERE FORKIE.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.USE INCASE OF A SEVERE FORKIE.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.USE INCASE OF A SEVERE FORKIE.exe.400000.0.unpack, type: UNPACKEDPE
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_0040A83A LoadLibraryW,GetProcAddress,wcscpy,wcscat,wcslen,CoTaskMemFree,FreeLibrary,wcscat,wcslen,0_2_0040A83A
        Source: USE INCASE OF A SEVERE FORKIE.exeStatic PE information: section name: .code
        Source: mbr.exe.0.drStatic PE information: section name: .xdata
        Source: mbr.exe.0.drStatic PE information: section name: /4
        Source: mbr.exe.0.drStatic PE information: section name: /19
        Source: mbr.exe.0.drStatic PE information: section name: /31
        Source: mbr.exe.0.drStatic PE information: section name: /45
        Source: mbr.exe.0.drStatic PE information: section name: /57
        Source: mbr.exe.0.drStatic PE information: section name: /70
        Source: mbr.exe.0.drStatic PE information: section name: /81
        Source: mbr.exe.0.drStatic PE information: section name: /92
        Source: meth.exe.0.drStatic PE information: section name: text
        Source: C:\Users\user\AppData\Roaming\mbr.exeCode function: 3_2_00410649 push rsp; iretd 3_2_0041064A
        Source: C:\Users\user\AppData\Roaming\mbr.exeCode function: 3_2_0040EC51 pushfq ; ret 3_2_0040EC52
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001401274CB push rbp; iretd 5_2_00000001401274DE
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400D7800 push rbp; iretd 5_2_00000001400D7CF8

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Roaming\mbr.exeCode function: CreateFileW,CreateFileW,WriteFile,WriteFile,CloseHandle,CloseHandle, \\.\PhysicalDrive03_2_00401530
        Infects the VBR (Volume Boot Record) of the hard disk
        Source: C:\Users\user\AppData\Roaming\mbr.exeFile written: \Device\Harddisk0\DR0 offset: 512Jump to behavior
        Writes directly to the primary disk partition (DR0)
        Source: C:\Users\user\AppData\Roaming\mbr.exeFile written: \Device\Harddisk0\DR0 offset: 512 length: 512Jump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile created: \use incase of a severe forkie.exe
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile created: \use incase of a severe forkie.exeJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile created: C:\Users\user\AppData\Roaming\meth.exeJump to dropped file
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile created: C:\Users\user\AppData\Roaming\mbr.exeJump to dropped file

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Roaming\mbr.exeCode function: CreateFileW,CreateFileW,WriteFile,WriteFile,CloseHandle,CloseHandle, \\.\PhysicalDrive03_2_00401530
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140050066 IsZoomed,IsIconic,5_2_0000000140050066
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140058650 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,GetClassNameW,EnumChildWindows,malloc,5_2_0000000140058650
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140054720 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetSystemMetrics,GetSystemMetrics,wcsncpy,GetDC,DestroyIcon,DeleteObject,GetIconInfo,CreateCompatibleDC,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,malloc,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,malloc,5_2_0000000140054720
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140096760 SetWindowTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowLongW,GetWindowRect,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,5_2_0000000140096760
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140096760 SetWindowTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowLongW,GetWindowRect,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,5_2_0000000140096760
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014009084D GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,5_2_000000014009084D
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014009085D MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,5_2_000000014009085D
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140090855 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,5_2_0000000140090855
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014009086B MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,5_2_000000014009086B
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014009688B ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,5_2_000000014009688B
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140096881 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,5_2_0000000140096881
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400908AF MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,5_2_00000001400908AF
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400448C0 IsWindow,DestroyWindow,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetWindowRect,GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,IsWindow,CreateWindowExW,SendMessageW,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetWindowRect,SendMessageW,SendMessageW,5_2_00000001400448C0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400968B6 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,5_2_00000001400968B6
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400968E8 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,5_2_00000001400968E8
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400908E7 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,5_2_00000001400908E7
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400908F6 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,5_2_00000001400908F6
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014009693A ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,5_2_000000014009693A
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014009698C ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,5_2_000000014009698C
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400569A0 SendMessageW,IsWindowVisible,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,5_2_00000001400569A0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400929B0 GetWindowLongW,GetWindowLongW,SetWindowPos,EnableWindow,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,GetClientRect,MulDiv,MulDiv,_wcstoi64,IsWindow,SetParent,SetWindowLongPtrW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,5_2_00000001400929B0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400969B7 MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,5_2_00000001400969B7
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014008EA10 SendMessageW,MulDiv,MulDiv,COMRefPtr,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints,5_2_000000014008EA10
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400B0AE0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,5_2_00000001400B0AE0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014009CC40 SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,SetFocus,SendMessageW,ShowWindow,SetFocus,InvalidateRect,MapWindowPoints,InvalidateRect,5_2_000000014009CC40
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400B0CC0 GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop,5_2_00000001400B0CC0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140068FE0 GetTickCount,GetForegroundWindow,GetTickCount,GetWindowThreadProcessId,GetGUIThreadInfo,ClientToScreen,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_itow,5_2_0000000140068FE0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400531A0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,malloc,ReleaseDC,SelectObject,DeleteDC,DeleteObject,malloc,GetPixel,ReleaseDC,malloc,malloc,5_2_00000001400531A0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400AD2F0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,5_2_00000001400AD2F0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400A1410 CheckMenuItem,CheckMenuItem,GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetForegroundWindow,GetWindowThreadProcessId,SetForegroundWindow,SetForegroundWindow,TrackPopupMenuEx,PostMessageW,GetForegroundWindow,SetForegroundWindow,5_2_00000001400A1410
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140079DD0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,malloc,malloc,5_2_0000000140079DD0
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\meth.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Contains functionality to detect sleep reduction / modifications
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140018A105_2_0000000140018A10
        Source: C:\Users\user\AppData\Roaming\meth.exeAPI coverage: 1.2 %
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140018A105_2_0000000140018A10
        Source: C:\Users\user\AppData\Roaming\mbr.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014001A3F0 GetKeyboardLayout followed by cmp: cmp dl, 00000019h and CTI: ja 000000014001A56Dh country: Russian (ru)5_2_000000014001A3F0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400226A7 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228D9h country: Urdu (ur)5_2_00000001400226A7
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400226A7 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228D9h country: Inuktitut (iu)5_2_00000001400226A7
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400226AF GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228D9h country: Urdu (ur)5_2_00000001400226AF
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400226AF GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228D9h country: Inuktitut (iu)5_2_00000001400226AF
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400226B6 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228D9h country: Urdu (ur)5_2_00000001400226B6
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400226B6 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228D9h country: Inuktitut (iu)5_2_00000001400226B6
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400226DD GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228D9h country: Urdu (ur)5_2_00000001400226DD
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400226DD GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228D9h country: Inuktitut (iu)5_2_00000001400226DD
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140022701 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228D9h country: Urdu (ur)5_2_0000000140022701
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140022701 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228D9h country: Inuktitut (iu)5_2_0000000140022701
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140022725 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228D9h country: Urdu (ur)5_2_0000000140022725
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140022725 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228D9h country: Inuktitut (iu)5_2_0000000140022725
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140014B90 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jl 0000000140014EF2h country: Spanish (es)5_2_0000000140014B90
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140058D60 GetLocalTime followed by cmp: cmp word ptr [rbx], cx and CTI: je 0000000140059093h5_2_0000000140058D60
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140058D60 GetLocalTime followed by cmp: cmp dx, ax and CTI: je 0000000140058F53h5_2_0000000140058D60
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400ACC30 FindFirstFileW,FindClose,FindFirstFileW,FindClose,5_2_00000001400ACC30
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014003C310 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,5_2_000000014003C310
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140066790 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,5_2_0000000140066790
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140080A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,5_2_0000000140080A30
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140066AD0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,malloc,5_2_0000000140066AD0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400ACB30 GetFileAttributesW,FindFirstFileW,FindClose,5_2_00000001400ACB30
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140081020 GetFileAttributesW,FindFirstFileW,FindClose,5_2_0000000140081020
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140067120 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,5_2_0000000140067120
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile opened: C:\Users\user\AppData\Local\Temp\EE27.tmpJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile opened: C:\Users\user\AppData\Local\Temp\EE27.tmp\EE37.tmpJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile opened: C:\Users\user\AppData\Local\Temp\EE27.tmp\EE37.tmp\EE38.tmpJump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\meth.exeAPI call chain: ExitProcess graph end nodegraph_5-225082
        Source: C:\Users\user\AppData\Roaming\meth.exeAPI call chain: ExitProcess graph end nodegraph_5-225079
        Source: C:\Windows\System32\cdd.dllSystem information queried: ModuleInformationJump to behavior

        Anti Debugging

        barindex
        Found API chain indicative of debugger detection
        Source: C:\Users\user\AppData\Roaming\mbr.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_3-622
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140038036 GlobalUnlock,CloseClipboard,GetTickCount,PeekMessageW,GetTickCount,GetTickCount,BlockInput,5_2_0000000140038036
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400D0780 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00000001400D0780
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_0040A83A LoadLibraryW,GetProcAddress,wcscpy,wcscat,wcslen,CoTaskMemFree,FreeLibrary,wcscat,wcslen,0_2_0040A83A
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400D6D4C GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,5_2_00000001400D6D4C
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_00409950 SetUnhandledExceptionFilter,0_2_00409950
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_00409930 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,0_2_00409930
        Source: C:\Users\user\AppData\Roaming\mbr.exeCode function: 3_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,3_2_004011B0
        Source: C:\Users\user\AppData\Roaming\mbr.exeCode function: 3_2_00402250 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,3_2_00402250
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400D2214 SetUnhandledExceptionFilter,5_2_00000001400D2214
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400D0780 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00000001400D0780
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400CD3F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00000001400CD3F4
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_00000001400415C0 CreateProcessW,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,CloseHandle,GetLastError,FormatMessageW,5_2_00000001400415C0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140016D80 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput,5_2_0000000140016D80
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140018590 mouse_event,5_2_0000000140018590
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\EE27.tmp\EE37.tmp\EE38.bat "C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe""Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\mbr.exe mbr.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\meth.exe meth.exeJump to behavior
        Source: meth.exeBinary or memory string: Program Manager
        Source: meth.exeBinary or memory string: Shell_TrayWnd
        Source: meth.exeBinary or memory string: Progman
        Source: meth.exe.0.drBinary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
        Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\mbr.exeCode function: 3_2_00402170 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,3_2_00402170
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140068C00 GetComputerNameW,GetUserNameW,5_2_0000000140068C00
        Source: C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exeCode function: 0_2_0040559A GetVersionExW,GetVersionExW,0_2_0040559A
        Source: meth.exeBinary or memory string: WIN_XP
        Source: meth.exe.0.drBinary or memory string: ?*A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle1.1.33.05\AutoHotkey.exeWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003%04hX0x%Ix*pPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfo
        Source: meth.exeBinary or memory string: WIN_VISTA
        Source: meth.exeBinary or memory string: WIN_7
        Source: meth.exeBinary or memory string: WIN_8
        Source: meth.exeBinary or memory string: WIN_8.1
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014001E300 PostThreadMessageW,Sleep,GetTickCount,GetExitCodeThread,GetTickCount,Sleep,CloseHandle,CreateMutexW,CloseHandle,CreateMutexW,CloseHandle,Shell_NotifyIconW,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,5_2_000000014001E300
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_0000000140072DB0 RemoveClipboardFormatListener,ChangeClipboardChain,5_2_0000000140072DB0
        Source: C:\Users\user\AppData\Roaming\meth.exeCode function: 5_2_000000014001EF90 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,5_2_000000014001EF90

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information1
        Scripting        		Valid Accounts1
        Native API        		1
        Scripting        		1
        Exploitation for Privilege Escalation        		1
        Disable or Modify Tools        		21
        Input Capture        		11
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        LSASS Driver        		1
        LSASS Driver        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop Protocol1
        Screen Capture        		1
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt1
        DLL Side-Loading        		1
        DLL Side-Loading        		2
        Obfuscated Files or Information        		Security Account Manager3
        File and Directory Discovery        		SMB/Windows Admin Shares21
        Input Capture        		1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCron4
        Bootkit        		1
        Access Token Manipulation        		1
        Software Packing        		NTDS35
        System Information Discovery        		Distributed Component Object Model3
        Clipboard Data        		1
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets34
        Security Software Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Masquerading        		Cached Domain Credentials11
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
        Virtualization/Sandbox Evasion        		DCSync2
        Process Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc Filesystem1
        Application Window Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
        Process Injection        		/etc/passwd and /etc/shadow1
        System Owner/User Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron4
        Bootkit        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640029 Sample: USE INCASE OF A SEVERE FORKIE.exe Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 33 g-bing-com.ax-0001.ax-msedge.net 2->33 35 bg.microsoft.map.fastly.net 2->35 37 5 other IPs or domains 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Detected unpacking (overwrites its own PE header) 2->41 43 Yara detected Babadeda 2->43 45 Joe Sandbox ML detected suspicious sample 2->45 8 USE INCASE OF A SEVERE FORKIE.exe 10 2->8         started        11 LogonUI.exe 2->11         started        13 LogonUI.exe 2->13         started        15 11 other processes 2->15 signatures3 process4 file5 29 C:\Users\user\AppData\Roaming\meth.exe, PE32+ 8->29 dropped 31 C:\Users\user\AppData\Roaming\mbr.exe, PE32+ 8->31 dropped 17 cmd.exe 1 8->17         started        process6 process7 19 mbr.exe 1 17->19         started        23 meth.exe 17->23         started        25 conhost.exe 17->25         started        file8 27 \Device\Harddisk0\DR0, DOS/MBR 19->27 dropped 47 Multi AV Scanner detection for dropped file 19->47 49 Writes directly to the primary disk partition (DR0) 19->49 51 Infects the VBR (Volume Boot Record) of the hard disk 19->51 57 3 other signatures 19->57 53 Sample or dropped binary is a compiled AutoHotkey binary 23->53 55 Contains functionality to detect sleep reduction / modifications 23->55 signatures9

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        USE INCASE OF A SEVERE FORKIE.exe47%VirustotalBrowse
        USE INCASE OF A SEVERE FORKIE.exe56%ReversingLabsWin32.PUA.Generic

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\mbr.exe43%ReversingLabsWin64.Trojan.Generic
        C:\Users\user\AppData\Roaming\meth.exe2%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://autohotkey.comCould0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bg.microsoft.map.fastly.net
        		199.232.210.172
        		truefalse
          		high
          a-0003.a-msedge.net
          		204.79.197.203
          		truefalse
            		high
            ax-0001.ax-msedge.net
            		150.171.28.10
            		truefalse
              		high
              api.msn.com
              		unknown
              		unknownfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://autohotkey.commeth.exe, meth.exe, 00000005.00000002.1258730306.00000001400DE000.00000002.00000001.01000000.00000006.sdmp, meth.exe, 00000005.00000000.1254953461.00000001400DE000.00000002.00000001.01000000.00000006.sdmp, meth.exe.0.drfalse
                  		high
                  https://autohotkey.comCouldUSE INCASE OF A SEVERE FORKIE.exe, 00000000.00000003.1251966125.0000000002B8C000.00000004.00000020.00020000.00000000.sdmp, meth.exe, 00000005.00000002.1258730306.00000001400DE000.00000002.00000001.01000000.00000006.sdmp, meth.exe, 00000005.00000000.1254953461.00000001400DE000.00000002.00000001.01000000.00000006.sdmp, meth.exe.0.drfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1640029
                  Start date and time:2025-03-16 21:54:43 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 23s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:38
                  Number of new started drivers analysed:4
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Sample name:USE INCASE OF A SEVERE FORKIE.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@17/4@1/0
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 205
                  • Number of non-executed functions: 93
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Connection to analysis system has been lost, crash info: Unknown
                  • Exclude process from analysis (whitelisted): dllhost.exe, smss.exe, dwm.exe, csrss.exe, winlogon.exe, SgrmBroker.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 23.60.203.209, 2.19.104.63, 23.60.201.147, 2.23.227.208, 2.23.227.215, 184.86.251.21, 184.86.251.9, 184.86.251.17, 184.86.251.27, 184.86.251.22, 52.149.20.212, 20.242.39.171, 52.165.164.15, 20.190.159.4, 20.190.159.128, 20.190.159.23, 20.190.159.64, 40.126.31.73, 40.126.31.67, 20.190.159.68, 20.190.159.73, 20.74.47.205, 20.199.58.43, 150.171.28.10
                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, p-static.bing.trafficmanager.net, g.bing.com, iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, arc.msn.com, iris-de-prod-azsc-v2-frc-b.francecentral.cloudapp.azure.com, cdn.onenote.net.edgekey.net, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, wildcard.weather.microsoft.com.edgekey.net, login.live.com, r.bing.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, arc.trafficmanager.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, e15275.d.akamaiedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, r.bing.com.edgekey.net, tile-service.weather.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, www-www.bing.c
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  16:55:41API Interceptor1x Sleep call for process: meth.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  bg.microsoft.map.fastly.nettheants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exeGet hashmaliciousSalityBrowse
                  • 199.232.210.172
                  FNLJD8Q3.exeGet hashmaliciousUnknownBrowse
                  • 199.232.210.172
                  MTE PO - 0515-000112.xlsGet hashmaliciousUnknownBrowse
                  • 199.232.210.172
                  zsd5jgZ9LU.exeGet hashmaliciousDanaBotBrowse
                  • 199.232.214.172
                  LaunchV.2.exeGet hashmaliciousLummaC StealerBrowse
                  • 199.232.214.172
                  shit.exe.bin.exeGet hashmaliciousUnknownBrowse
                  • 199.232.214.172
                  attach.pdfGet hashmaliciousUnknownBrowse
                  • 199.232.210.172
                  AgnotSecurity.exeGet hashmaliciousUnknownBrowse
                  • 199.232.210.172
                  SecuriteInfo.com.Win32.RATX-gen.20425.5895.exeGet hashmaliciousUnknownBrowse
                  • 199.232.214.172
                  SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeGet hashmaliciousXWormBrowse
                  • 199.232.210.172
                  a-0003.a-msedge.netExLoader_Installer.exeGet hashmaliciousPython Stealer, Blank Grabber, Umbral Stealer, XWormBrowse
                  • 204.79.197.203
                  system.dll.exeGet hashmaliciousPython Stealer, BraodoBrowse
                  • 204.79.197.203
                  system.dll.exeGet hashmaliciousPython Stealer, BraodoBrowse
                  • 204.79.197.203
                  file.exeGet hashmaliciousVidarBrowse
                  • 204.79.197.203
                  ImageG.exeGet hashmaliciousNovaSentinelBrowse
                  • 204.79.197.203
                  GlitchNote.exeGet hashmaliciousUnknownBrowse
                  • 204.79.197.203
                  work.jsGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                  • 204.79.197.203
                  Blue-Cloner-Signed.exeGet hashmaliciousRedLineBrowse
                  • 204.79.197.203
                  Bthvgkck.exeGet hashmaliciousUnknownBrowse
                  • 204.79.197.203
                  v7942.exeGet hashmaliciousStealc, VidarBrowse
                  • 204.79.197.203
                  ax-0001.ax-msedge.netFNLJD8Q3.exeGet hashmaliciousUnknownBrowse
                  • 150.171.28.10
                  Setup.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                  • 150.171.28.10
                  system.dll.exeGet hashmaliciousPython Stealer, BraodoBrowse
                  • 150.171.27.10
                  system.dll.exeGet hashmaliciousPython Stealer, BraodoBrowse
                  • 150.171.27.10
                  file.exeGet hashmaliciousVidarBrowse
                  • 150.171.27.10
                  ImageG.exeGet hashmaliciousNovaSentinelBrowse
                  • 150.171.28.10
                  GalaxySoft.exeGet hashmaliciousLummaC StealerBrowse
                  • 150.171.28.10
                  DiscordNitrofree2021.exeGet hashmaliciousUnknownBrowse
                  • 150.171.28.10
                  GlitchNote.exeGet hashmaliciousUnknownBrowse
                  • 150.171.27.10
                  Setup.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                  • 150.171.28.10

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\EE27.tmp\EE37.tmp\EE38.bat

                  Download File
                  Process:C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):53
                  Entropy (8bit):4.34519946371142
                  Encrypted:false
                  SSDEEP:3:NNgnzKDDVBFhVVCENvI5g0C:NS03H9u6
                  MD5:1E4BEA4C4CFFFBB0270C97E33FEAFC50
                  SHA1:5BEB7A6BEDB10AB99D7FBA2A0257FC651E4415A3
                  SHA-256:22BCD5367CB4268923C9AF73B0C6F42D0B0BC1CBD140481B358A147F2E247559
                  SHA-512:48126559B92EBBF0DDFBEF0B16596A3328462CE062B422870042AF0C5204C3E5C0B8E8A79A14E7F571EE496C775FFB48FF917624B9D52867708A15827B5A93CF
                  Malicious:false
                  Preview:@shift /0..@echo off..cd %appdata%..mbr.exe..meth.exe

                  C:\Users\user\AppData\Roaming\mbr.exe

                  Download File
                  Process:C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe
                  File Type:PE32+ executable (console) x86-64, for MS Windows
                  Category:dropped
                  Size (bytes):135004
                  Entropy (8bit):5.137568330915826
                  Encrypted:false
                  SSDEEP:1536:ZYMy0+Ls8yumaMXRuwNeW4UNAdz2mAUvMFM7iNVRu9xt2ZV+M:ZYMyNfQuZUNAdz2moBRixt2aM
                  MD5:2C7B90466A55D23E795EC70DBE20F23B
                  SHA1:D4D272E6F54CFF2C862989568652004930C2B0A4
                  SHA-256:3CA189F1ACA6ABFE6FE312150CB5BA4927BCE2D00D377706729FE369B066A2E2
                  SHA-512:8B8E01222818AB66BD47FB514E221856980CD7368881B88566D4DE2DE64F7384363EC1E10E06FC4EC2F63F0E3A793897B1B5F3AC24B2D8B1462FD2A09F1F7379
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 43%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....[L`..........'.........."................@..............................0......3}........ ..............................................................P..@........................................... ...(....................................................text............................... .P`.data........0.......$..............@.P..rdata..P....@.......&..............@.p@.pdata..@....P.......2..............@.0@.xdata.......`.......6..............@.0@.bss....`....p........................p..idata...............8..............@.0..CRT....h............B..............@.@..tls....h............D..............@.`./4......P............F..............@.PB/19.....V............L..............@..B/31.................................@..B/45..................*..............@..B/57..................F..............@.@B/70..................R..............@..B/81.....

                  C:\Users\user\AppData\Roaming\meth.exe

                  Download File
                  Process:C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe
                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                  Category:dropped
                  Size (bytes):1219072
                  Entropy (8bit):6.464576084294604
                  Encrypted:false
                  SSDEEP:24576:W8BVhrOQzObG0qjtF4uLr4IksX3d5KMAh3cYz1TA6ckAcqqG:W8BVhrOQzObG0qjtF4uLr4IksXtEMy3c
                  MD5:EA98448B2C0EAA773F5E10C4C9DFF7AD
                  SHA1:89AADF9213EDB7939E4C4D7E461ED0A1CA6A5430
                  SHA-256:8F3649BD8D015115BD88E332895A2EF9AC347394A7A91A7D0787C777FDB96CAA
                  SHA-512:2CB95CC431D1C2558803183AF1D2BE57356CEADE06FAFE41BB45AC2CAB5BBC9230EF9872B3FBE516A789FA14CC39B3C7EB34A9E0A0CD77F8313BBAF2D042AADF
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 2%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&.DXG..XG..XG..C...mG..C....G..Q? .^G..Q?$.YG..Q?0.EG..XG...F..C.=.OG..C...sG..C.9.YG..C.>.YG..RichXG..........PE..d.....G`..........#............................@.............................@................@.............................................,...,........X.......x...................................................................................................text............................... ..`.rdata..............................@..@.data............P..................@....pdata...x.......z...0..............@..@text.....%...@...&..................@.. data.....n...p...p..................@..@.rsrc....X.......Z...@..............@..@........................................................................................................................................................................................................................

                  \Device\Harddisk0\DR0

                  Download File
                  Process:C:\Users\user\AppData\Roaming\mbr.exe
                  File Type:DOS/MBR boot sector
                  Category:dropped
                  Size (bytes):512
                  Entropy (8bit):2.6334230464890553
                  Encrypted:false
                  SSDEEP:3:U/1HUy8oXVKfYmFRiuFJKZkoqoFS/jFDnz3ETAGFbzkPVKQLYdF4yqiqqHC:M00XVKlJYJCnwjFH+gQMdKRiRHC
                  MD5:D67C8C2CE040B50679326969DCDFCEA5
                  SHA1:F28D72376FE0FB4F162D26A38A8DF9B7E8F2B72C
                  SHA-256:8B00B52050064621CBB8419681A17B4655EAD432B1756DBDA7A7D1FF98F706E6
                  SHA-512:9B43826EFAEA51502989B9A46920166550352DADBC815ACCDB7CBFBE63A31333CF1124137A6109B60C6AA0B5FCFA670AA455118379F2FA784500656BBA74FE50
                  Malicious:true
                  Preview:........3|...P...<.t....F..................O....This VM has been locked..The VM was locked because we have detected a forkie here or other reasons..Made by DESKTOP GOOSE..................................................................................................................................................................................................................................................................................................................................................U.

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.700155300388868
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.94%
                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • VXD Driver (31/22) 0.00%
                  File name:USE INCASE OF A SEVERE FORKIE.exe
                  File size:845'312 bytes
                  MD5:f6dc48cb4911eaa1c1932ac896c99ea3
                  SHA1:0eb1bc7de15a704fc2a93deee8a844efc1b3a759
                  SHA256:13ada6aa3a732313040f1b3c8c694c58a14228d17604f9df98ba818daa8f6b22
                  SHA512:cef256ad372e184d64c41c9f3449170b003ae639ea944b799fcb42f5796415a1ee92cda32578fbb41947240e3a04dd88e8e692daa8847217644ed6b8a01c6bcf
                  SSDEEP:24576:TcvkTy1TQ+jCNfovpiGhoilUAySg23puiLnqfb:YvkTEhjefov0jCg+pzmT
                  TLSH:E005028577D188A6D1B10F3000A1E67863A6BE147E34F593DF98BD836A737D11E782D8
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.@]...............2.....................0....@.......................... .............................................

                  File Icon

                  Icon Hash:962361a4602d0d43

                  Static PE Info

                  General

                  Entrypoint:0x401000
                  Entrypoint Section:.code
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  DLL Characteristics:
                  Time Stamp:0x5D400562 [Tue Jul 30 08:52:50 2019 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:5877688b4859ffd051f6be3b8e0cd533

                  Entrypoint Preview

                  Instruction
                  push 000000ACh
                  push 00000000h
                  push 00418010h
                  call 00007F84B9536711h
                  add esp, 0Ch
                  push 00000000h
                  call 00007F84B953670Ah
                  mov dword ptr [00418014h], eax
                  push 00000000h
                  push 00001000h
                  push 00000000h
                  call 00007F84B95366F7h
                  mov dword ptr [00418010h], eax
                  call 00007F84B9536671h
                  mov eax, 00417088h
                  mov dword ptr [00418034h], eax
                  call 00007F84B953F492h
                  call 00007F84B953F1FEh
                  call 00007F84B953C0F8h
                  call 00007F84B953B97Ch
                  call 00007F84B953B40Fh
                  call 00007F84B953B189h
                  call 00007F84B953ACADh
                  call 00007F84B953A42Dh
                  call 00007F84B95369F5h
                  call 00007F84B953DD78h
                  call 00007F84B953C820h
                  mov edx, 0041702Eh
                  lea ecx, dword ptr [0041801Ch]
                  call 00007F84B9536688h
                  push FFFFFFF5h
                  call 00007F84B9536698h
                  mov dword ptr [0041803Ch], eax
                  mov eax, 00000200h
                  push eax
                  lea eax, dword ptr [004180B8h]
                  push eax
                  xor eax, eax
                  push eax
                  push 00000015h
                  push 00000004h
                  call 00007F84B953B3D2h
                  push dword ptr [004180A0h]

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1717c0xc8.data
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000xb8ec4.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x174700x22c.data
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .code0x10000x37f00x38006c0f4094a5493360ae8c9032ef3a9f47False0.47140066964285715data5.608776130769213IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .text0x50000xd2c20xd4001da643e4b1937b50550f9d9e8250428eFalse0.5114239386792453data6.558083729279072IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x130000x339d0x34004fb07923b0eb72c40319d48fd2d4f13fFalse0.8046123798076923data7.110640338733979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x170000x172c0x1200af2a28a01f6bfa6ebb69c008c0665f8dFalse0.3943142361111111data4.998269116195556IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x190000xb8ec40xb9000ee5a40f1d130463a3a64ee4712fec087False0.9076858108108108data7.746728610496483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0x195140x5b9dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9784249349763356
                  RT_ICON0x1f0b40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.27481367561812375
                  RT_ICON0x2f8dc0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.34777987718469533
                  RT_ICON0x33b040x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.4103734439834025
                  RT_ICON0x360ac0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.47209193245778613
                  RT_ICON0x371540x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.6152482269503546
                  RT_RCDATA0x375bc0x9data1.8888888888888888
                  RT_RCDATA0x375c80x2bdata1.255813953488372
                  RT_RCDATA0x375f40xa6eddata1.0004914234900428
                  RT_RCDATA0x41ce40x8fe79data1.0003155574933877
                  RT_RCDATA0xd1b600x1very short file (no magic)9.0
                  RT_RCDATA0xd1b640x4edata1.141025641025641
                  RT_RCDATA0xd1bb40x12zlib compressed data1.3333333333333333
                  RT_GROUP_ICON0xd1bc80x5adata0.7666666666666667
                  RT_MANIFEST0xd1c240x2a0XML 1.0 document, ASCII text, with very long lines (672), with no line terminators0.5520833333333334

                  Imports

                  DLLImport
                  MSVCRT.dllmemset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, memcpy, tolower, wcscat, malloc
                  KERNEL32.dllGetModuleHandleW, HeapCreate, GetStdHandle, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, GetExitCodeProcess, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetNativeSystemInfo, GetShortPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, Sleep, GetProcAddress, GetVersionExW, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, TerminateProcess, SetUnhandledExceptionFilter, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, InterlockedCompareExchange, InterlockedExchange, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, DuplicateHandle, RegisterWaitForSingleObject
                  USER32.DLLCharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, DestroyWindow, GetWindowLongW, GetWindowTextLengthW, GetWindowTextW, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, EnableWindow, GetSystemMetrics, CreateWindowExW, SetWindowLongW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
                  GDI32.DLLGetStockObject
                  COMCTL32.DLLInitCommonControlsEx
                  SHELL32.DLLShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
                  WINMM.DLLtimeBeginPeriod
                  OLE32.DLLCoInitialize, CoTaskMemFree
                  SHLWAPI.DLLPathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW

                  Network Behavior

                  Network Port Distribution

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Mar 16, 2025 21:55:53.584377050 CET5157553192.168.2.61.1.1.1
                  Mar 16, 2025 21:55:53.590890884 CET53515751.1.1.1192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Mar 16, 2025 21:55:53.584377050 CET192.168.2.61.1.1.10xb9acStandard query (0)api.msn.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Mar 16, 2025 21:55:53.590890884 CET1.1.1.1192.168.2.60xb9acNo error (0)api.msn.comapi-msn-com-oneservice-world-default.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                  Mar 16, 2025 21:55:53.590890884 CET1.1.1.1192.168.2.60xb9acNo error (0)api-msn-com-oneservice-world-default.trafficmanager.netapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                  Mar 16, 2025 21:55:53.590890884 CET1.1.1.1192.168.2.60xb9acNo error (0)api-msn-com.a-0003.a-msedge.neta-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                  Mar 16, 2025 21:55:53.590890884 CET1.1.1.1192.168.2.60xb9acNo error (0)a-0003.a-msedge.net204.79.197.203A (IP address)IN (0x0001)false
                  Mar 16, 2025 21:55:59.259989023 CET1.1.1.1192.168.2.60x6793No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                  Mar 16, 2025 21:55:59.259989023 CET1.1.1.1192.168.2.60x6793No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                  Mar 16, 2025 21:56:11.788650036 CET1.1.1.1192.168.2.60x32c8No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                  Mar 16, 2025 21:56:11.788650036 CET1.1.1.1192.168.2.60x32c8No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                  Mar 16, 2025 21:56:59.205828905 CET1.1.1.1192.168.2.60x8beeNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                  Mar 16, 2025 21:56:59.205828905 CET1.1.1.1192.168.2.60x8beeNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                  Mar 16, 2025 21:57:49.908030987 CET1.1.1.1192.168.2.60x1c8No error (0)g-bing-com.ax-0001.ax-msedge.netax-0001.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
                  Mar 16, 2025 21:57:49.908030987 CET1.1.1.1192.168.2.60x1c8No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
                  Mar 16, 2025 21:57:49.908030987 CET1.1.1.1192.168.2.60x1c8No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:16:55:41
                  Start date:16/03/2025
                  Path:C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe"
                  Imagebase:0x400000
                  File size:845'312 bytes
                  MD5 hash:F6DC48CB4911EAA1C1932AC896C99EA3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:1
                  Start time:16:55:41
                  Start date:16/03/2025
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\EE27.tmp\EE37.tmp\EE38.bat "C:\Users\user\Desktop\USE INCASE OF A SEVERE FORKIE.exe""
                  Imagebase:0x7ff6094c0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:2
                  Start time:16:55:41
                  Start date:16/03/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff68dae0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:16:55:41
                  Start date:16/03/2025
                  Path:C:\Users\user\AppData\Roaming\mbr.exe
                  Wow64 process (32bit):false
                  Commandline:mbr.exe
                  Imagebase:0x400000
                  File size:135'004 bytes
                  MD5 hash:2C7B90466A55D23E795EC70DBE20F23B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 43%, ReversingLabs
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:5
                  Start time:16:55:41
                  Start date:16/03/2025
                  Path:C:\Users\user\AppData\Roaming\meth.exe
                  Wow64 process (32bit):false
                  Commandline:meth.exe
                  Imagebase:0x140000000
                  File size:1'219'072 bytes
                  MD5 hash:EA98448B2C0EAA773F5E10C4C9DFF7AD
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 2%, ReversingLabs
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:6
                  Start time:16:55:41
                  Start date:16/03/2025
                  Path:C:\Windows\System32\LogonUI.exe
                  Wow64 process (32bit):false
                  Commandline:"LogonUI.exe" /flags:0x4 /state0:0xa380c055 /state1:0x41c64e6d
                  Imagebase:0x7ff75c080000
                  File size:13'824 bytes
                  MD5 hash:893144FE49AA16124B5BD3034E79BBC6
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:10
                  Start time:16:55:42
                  Start date:16/03/2025
                  Path:C:\Windows\System32\cdd.dll
                  Wow64 process (32bit):false
                  Commandline:
                  Imagebase:0x7ff79e1f0000
                  File size:267'264 bytes
                  MD5 hash:9B684213A399B4E286982BDAD6CF3D07
                  Has elevated privileges:
                  Has administrator privileges:
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:false

                  General

                  Target ID:11
                  Start time:16:55:43
                  Start date:16/03/2025
                  Path:C:\Windows\System32\LogonUI.exe
                  Wow64 process (32bit):false
                  Commandline:"LogonUI.exe" /flags:0x2 /state0:0xa3810055 /state1:0x41c64e6d
                  Imagebase:0x7ff75c080000
                  File size:13'824 bytes
                  MD5 hash:893144FE49AA16124B5BD3034E79BBC6
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:13
                  Start time:16:55:43
                  Start date:16/03/2025
                  Path:C:\Windows\System32\fontdrvhost.exe
                  Wow64 process (32bit):false
                  Commandline:"fontdrvhost.exe"
                  Imagebase:0x7ff72ae70000
                  File size:827'408 bytes
                  MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:21
                  Start time:16:55:44
                  Start date:16/03/2025
                  Path:C:\Windows\System32\cdd.dll
                  Wow64 process (32bit):
                  Commandline:
                  Imagebase:
                  File size:267'264 bytes
                  MD5 hash:9B684213A399B4E286982BDAD6CF3D07
                  Has elevated privileges:
                  Has administrator privileges:
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:false

                  General

                  Target ID:22
                  Start time:16:55:44
                  Start date:16/03/2025
                  Path:C:\Windows\System32\LogonUI.exe
                  Wow64 process (32bit):false
                  Commandline:"LogonUI.exe" /flags:0x2 /state0:0xa381d055 /state1:0x41c64e6d
                  Imagebase:0x7ff75c080000
                  File size:13'824 bytes
                  MD5 hash:893144FE49AA16124B5BD3034E79BBC6
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:24
                  Start time:16:55:45
                  Start date:16/03/2025
                  Path:C:\Windows\System32\fontdrvhost.exe
                  Wow64 process (32bit):false
                  Commandline:"fontdrvhost.exe"
                  Imagebase:0x7ff72ae70000
                  File size:827'408 bytes
                  MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:28
                  Start time:16:55:46
                  Start date:16/03/2025
                  Path:C:\Windows\System32\cdd.dll
                  Wow64 process (32bit):
                  Commandline:
                  Imagebase:
                  File size:267'264 bytes
                  MD5 hash:9B684213A399B4E286982BDAD6CF3D07
                  Has elevated privileges:
                  Has administrator privileges:
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:false

                  General

                  Target ID:29
                  Start time:16:55:46
                  Start date:16/03/2025
                  Path:C:\Windows\System32\LogonUI.exe
                  Wow64 process (32bit):false
                  Commandline:"LogonUI.exe" /flags:0x2 /state0:0xa3824855 /state1:0x41c64e6d
                  Imagebase:0x7ff75c080000
                  File size:13'824 bytes
                  MD5 hash:893144FE49AA16124B5BD3034E79BBC6
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:30
                  Start time:16:55:46
                  Start date:16/03/2025
                  Path:C:\Windows\System32\fontdrvhost.exe
                  Wow64 process (32bit):false
                  Commandline:"fontdrvhost.exe"
                  Imagebase:0x7ff72ae70000
                  File size:827'408 bytes
                  MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:35
                  Start time:16:55:48
                  Start date:16/03/2025
                  Path:C:\Windows\System32\cdd.dll
                  Wow64 process (32bit):
                  Commandline:
                  Imagebase:
                  File size:267'264 bytes
                  MD5 hash:9B684213A399B4E286982BDAD6CF3D07
                  Has elevated privileges:
                  Has administrator privileges:
                  Programmed in:C, C++ or other language
                  Has exited:false

                  General

                  Target ID:36
                  Start time:16:55:48
                  Start date:16/03/2025
                  Path:C:\Windows\System32\LogonUI.exe
                  Wow64 process (32bit):false
                  Commandline:"LogonUI.exe" /flags:0x2 /state0:0xa382c055 /state1:0x41c64e6d
                  Imagebase:0x7ff75c080000
                  File size:13'824 bytes
                  MD5 hash:893144FE49AA16124B5BD3034E79BBC6
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:38
                  Start time:16:55:48
                  Start date:16/03/2025
                  Path:C:\Windows\System32\fontdrvhost.exe
                  Wow64 process (32bit):false
                  Commandline:"fontdrvhost.exe"
                  Imagebase:0x7ff72ae70000
                  File size:827'408 bytes
                  MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  Disassembly

                  Reset < >